CVE-2024-42314 Overview
CVE-2024-42314 is a use-after-free vulnerability [CWE-416] in the Btrfs filesystem code of the Linux kernel. The flaw resides in the add_ra_bio_pages() function, which accesses an extent map structure after dropping its reference. A local authenticated attacker can trigger the dangling pointer access while reading compressed data, leading to memory corruption inside the kernel.
The issue affects multiple stable Linux kernel branches and Debian Linux 11. Upstream maintainers resolved the defect by computing add_size before releasing the extent map reference.
Critical Impact
Local exploitation can corrupt kernel memory, enabling privilege escalation, denial of service, or disclosure of sensitive kernel data on systems using Btrfs with compressed extents.
Affected Products
- Linux kernel (multiple stable branches prior to the fix commits)
- Debian Linux 11 (Bullseye)
- Any distribution using Btrfs with read-ahead on compressed extents
Discovery Timeline
- 2024-08-17 - CVE-2024-42314 published to the National Vulnerability Database (NVD)
- 2025-01 - Debian LTS advisory published for affected Debian 11 kernels
- 2026-03-27 - Last updated in NVD database
Technical Details for CVE-2024-42314
Vulnerability Analysis
The defect lives in the Btrfs compressed read path. Within add_ra_bio_pages(), the kernel uses an extent_map structure to determine how many bytes from the compressed extent to attach to the read-ahead bio. The original code dropped the reference count on the extent map by calling free_extent_map() before computing add_size. After the reference is released, the extent map can be freed by another thread that holds the last reference, leaving the local pointer dangling.
When execution then dereferences fields such as the extent length to compute add_size, the kernel reads memory that may already be reused. The result is undefined behavior ranging from incorrect bio sizing to controlled kernel memory disclosure or corruption. Successful exploitation requires local access and the ability to read from a Btrfs filesystem containing compressed extents, which is the default behavior when compression is enabled on a mount.
The upstream fix relocates the add_size calculation so that all fields are read from the extent map while the reference is still held. Only after the value is captured does the code call free_extent_map(). This eliminates the window in which another task can free the structure underneath the reader.
Root Cause
The root cause is improper lifetime management of a reference-counted object. Code dereferenced fields of extent_map after free_extent_map() decremented its reference count, violating the invariant that an object must not be accessed after the caller has released its hold on it.
Attack Vector
The attack vector is local. A user with permission to read from a Btrfs volume containing compressed extents can trigger the read-ahead path. Concurrent filesystem activity that races extent map eviction with the compressed read can win the use-after-free window. No user interaction is required beyond initiating the read.
No verified public proof-of-concept code is available. The vulnerability is described in prose only — see the linked kernel commits for the corrected source.
Detection Methods for CVE-2024-42314
Indicators of Compromise
- Kernel oops or general protection fault messages referencing add_ra_bio_pages, btrfs_submit_compressed_read, or free_extent_map in dmesg
- KASAN use-after-free reports against extent_map slab objects when KASAN is enabled
- Unexpected process crashes or kernel panics on hosts running Btrfs with compress or compress-force mount options
Detection Strategies
- Inventory running kernel versions with uname -r across the fleet and compare against the fixed commits 8e7860543a94, b7859ff398b6, c1cc3326e27b, and c205565e0f2f
- Enable kernel address sanitizer (KASAN) in test environments to catch use-after-free conditions in Btrfs read paths before production exposure
- Monitor system logs for repeated Btrfs-related call traces, which can indicate exploitation attempts or stability issues
Monitoring Recommendations
- Forward kern.log and journalctl -k output to a centralized log platform and alert on Btrfs stack traces
- Track auditd events for users performing large or unusual read operations on Btrfs volumes with compression enabled
- Baseline kernel crash frequency per host and alert on deviations
How to Mitigate CVE-2024-42314
Immediate Actions Required
- Apply the vendor kernel update on every host running an affected version, prioritizing systems where Btrfs compression is in use
- Reboot patched hosts to load the corrected kernel image, since live patching may not cover this code path on all distributions
- Restrict local shell access on multi-tenant systems until patches are deployed
Patch Information
The fix is committed upstream and backported to stable trees. Reference the following commits: 8e7860543a94784d744c7ce34b78a2e11beefa5c, b7859ff398b6b656e1689daa860eb34837b4bb89, c1cc3326e27b0bd7a2806b40bc48e49afaf951e7, and c205565e0f2f439f278a4a94ee97b67ef7b56ae8. Debian users should install the kernel update described in the Debian LTS Announcement. Commit details are available in the Linux Kernel Stable Tree.
Workarounds
- Where patching is not yet possible, remount affected volumes without compression by removing compress and compress-force from /etc/fstab and remounting
- Limit untrusted local accounts on hosts that mount Btrfs volumes with compression enabled
- Migrate critical data to an alternative filesystem such as ext4 or XFS on systems that cannot be patched promptly
# Verify running kernel and Btrfs mount options
uname -r
mount | grep btrfs
# Example: remount a Btrfs volume without compression as a temporary workaround
mount -o remount,compress=no /mnt/data
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
