CVE-2024-40972

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-40972

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40972.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-40972

Downstream

BELL-CVE-2024-40972

DEBIAN-CVE-2024-40972

DLA-4008-1

DSA-5782-1

OESA-2024-1941

OESA-2024-1942

OESA-2024-1943

RHSA-2024:7000

RHSA-2024:7001

RHSA-2024:8617

RLSA-2024:7000

SUSE-SU-2024:2802-1

SUSE-SU-2024:2894-1

SUSE-SU-2024:2896-1

SUSE-SU-2024:2939-1

SUSE-SU-2024:2947-1

SUSE-SU-2024:2973-1

UBUNTU-CVE-2024-40972

USN-6999-1

USN-6999-2

USN-7004-1

USN-7005-1

USN-7005-2

USN-7008-1

USN-7029-1

Related

Published

2024-07-12T13:15:18Z

Modified

2025-08-09T20:01:27Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: do not create EA inode under buffer lock

ext4xattrsetentry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4xattrsetentry() into the callers.

References

Affected packages