Cyber Resilience

CVE-2024-57929

HighUpdated

Published: 19 January 2025

Published
19 January 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 6.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57929 is a high-severity Operation on a Resource after Expiration or Release (CWE-672) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57929 is a vulnerability in the Linux kernel's device-mapper (dm) array module, specifically affecting the dm_array_cursor_end() function. When dm_bm_read_lock() fails due to locking or checksum errors—such as on a faulty array block—it implicitly releases the block while leaving an invalid pointer. The dm_array_cursor incorrectly caches this invalid dm_block pointer, leading to a double release during dm_array_cursor_end() and triggering a BUG_ON() in the dm-bufio cache_put() at drivers/md/dm-bufio.c:638. This issue manifests in dm-cache metadata operations, as demonstrated by reproducer steps involving initialization of a cache device, offline wiping of a specific array block, and reopening the device.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a local scope (AV:L/S:U). By corrupting specific metadata blocks, such as the second array block in a dm-cache setup, the attacker triggers the faulty read, invalid pointer caching, and subsequent double release. This results in a kernel BUG and system crash, achieving high availability impact (A:H) and high confidentiality impact (C:H) per the CVSS 3.1 score of 7.1, with no integrity impact (I:N) and mapping to CWE-672.

The referenced kernel stable commits provide the fix by setting the cached block pointer to NULL upon errors in dm_bm_read_lock() failures, preventing the double release. These patches are available at git.kernel.org/stable for backported kernels: 017c4470bff5, 6002bec5354f, 738994872d77, 9c7c03d0e926, and e477021d252c. The fix can be verified using the dm-unit test "array_cursor/damaged".

No real-world exploitation is reported, and the vulnerability is verifiable via provided reproducer steps or dm-unit testing on affected kernels.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid…

more

output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel vulnerability triggers double-free/BUG leading to system crash, directly enabling Endpoint DoS via system exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31739Same product: Linux Linux Kernel
CVE-2024-56772Same product: Linux Linux Kernel
CVE-2026-23095Same product: Linux Linux Kernel
CVE-2026-31417Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 4.9 — 5.4.290 · 5.5 — 5.10.234 · 5.11 — 5.15.177

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching of the Linux kernel flaw remediates the invalid pointer caching and double release in dm_array_cursor_end() triggered by dm_bm_read_lock() failures.

prevent

Robust error handling prevents caching and subsequent use of invalid dm_block pointers after checksum or locking failures in device-mapper array operations.

preventdetect

System memory protection mechanisms mitigate double-free vulnerabilities in kernel dm-bufio by detecting invalid memory accesses during cache_put().

References