CVE-2024-50273

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Nov 19, 2024
Updated: Nov 27, 2024
CWE ID 908

Summary

CVE-2024-50273 is a vulnerability affecting the Linux kernel's btrfs file system. The issue lies in the function `insert_delayed_ref()`, where a ref's add_list member is not properly reinitialized after being deleted from the list. This leaves the list in an invalid state, leading to a crash when `drop_delayed_ref()` is later called. The crash can result in either invalid pointer dereferences or a splat if certain kernel configurations are in place. The vulnerability can be exploited during merging or when destroying delayed refs due to a transaction abort. The issue has been resolved by changing the deletion method from `list_del()` to `list_del_init()` to ensure proper list initialization.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share