CVE-2024-40972: ext4: do not create EA inode under buffer lock

Published Jul 12, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

ext4: do not create EA inode under buffer lock

ext4xattrsetentry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4xattrsetentry() into the callers.

Affected Software

11 affected componentsFixes available
redhat/kernel<6.9.7
6.9.7
redhat/kernel<6.10
6.10
Linux Linux kernel<6.1.107
Linux Linux kernel>=6.2<6.6.47
Linux Linux kernel>=6.7<6.9.7
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux<=5.10.223-1, <=5.10.234-1
6.1.129-16.1.135-16.12.25-1
debian/linux-6.1
6.1.129-1~deb11u1

Remediation

Patch Available

https://git.kernel.org/stable/c/0752e7fb549d90c33b4d4186f11cfd25a556d1dd

Patch Available

https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b

Patch Available

https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752

Patch Available

https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1

Event History

Jul 12, 2024
CVE Published
via MITRE·12:32 PM
Data Sourced
via MITRE·12:32 PM
Description
Data Sourced
via NVD·01:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 27, 2025
Data Sourced
via Ubuntu·06:15 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-40972?

CVE-2024-40972 has been assigned a medium severity, indicating a moderate impact on systems in which it exists.

2

How do I fix CVE-2024-40972?

To fix CVE-2024-40972, update the Linux kernel to versions 6.9.7, 6.10, or apply the indicated patches for the affected distributions.

3

Which Linux kernel versions are affected by CVE-2024-40972?

CVE-2024-40972 affects Linux kernel versions prior to 6.9.7 and certain earlier 6.x versions.

4

Is CVE-2024-40972 exploitable remotely?

Currently, there is no information indicating that CVE-2024-40972 is remotely exploitable.

5

What type of vulnerability is CVE-2024-40972?

CVE-2024-40972 is a vulnerability in the ext4 filesystem related to inode handling under buffer locks.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203