CVE-2024-26685: nilfs2: fix potential bug in end_buffer_async_write
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential bug in end_buffer_async_write
According to a syzbot report, end_buffer_async_write(), which handles the
completion of block device writes, may detect abnormal condition of the
buffer async_write flag and cause a BUG_ON failure when using nilfs2.
Nilfs2 itself does not use end_buffer_async_write(). But, the async_write
flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue
with race condition of competition between segments for dirty blocks") as
a means of resolving double list insertion of dirty blocks in
nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the
resulting crash.
This modification is safe as long as it is used for file data and b-tree
node blocks where the page caches are independent. However, it was
irrelevant and redundant to also introduce async_write for segment summary
and super root blocks that share buffers with the backing device. This
led to the possibility that the BUG_ON check in end_buffer_async_write
would fail as described above, if independent writebacks of the backing
device occurred in parallel.
The use of async_write for segment summary buffers has already been
removed in a previous change.
Fix this issue by removing the manipulation of the async_write flag for
the remaining super root block buffer.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel reliability issue in nilfs2. A local user can potentially trigger a kernel BUG condition during writeback, causing system availability impact. The source bundle does not show data theft, privilege escalation, remote access, or confirmed active exploitation.
Executive priority
Handle through normal kernel patch management, with higher priority for multi-user Linux servers where availability matters. This is not shown as remotely exploitable or actively exploited in the provided sources, but it can still cause disruptive local denial of service.
Technical view
The bug involves nilfs2 use of the buffer async_write flag on super root block buffers that share backing-device buffers. Parallel backing-device writeback could make end_buffer_async_write() detect an abnormal async_write state and hit BUG_ON. CVSS rates it local, low complexity, low privilege, no user interaction, availability-only impact.
Likely exposure
Exposure is most relevant to Linux systems running affected kernel versions where nilfs2 is present or used, especially shared or multi-user systems. The bundle lists affected Linux kernel ranges and multiple stable fixes, but does not identify specific distributions beyond Debian LTS advisories.
Exploitation context
The CVSS vector requires local access and low privileges. The provided sources do not indicate remote exploitation or inclusion in CISA KEV. Treat exploitation status as unconfirmed unless your vendor or telemetry shows otherwise.
Researcher notes
Key evidence is the upstream kernel description: nilfs2 reused async_write as a marker, but super root buffers share backing-device buffers, creating a race with independent writeback. The resolved change removes async_write manipulation for the remaining super root block buffer.
Mitigation direction
Update to a vendor kernel containing the relevant stable nilfs2 fix.
Review Debian LTS advisories if running affected Debian kernel packages.
Prioritize multi-user systems where local users can reach filesystem paths.
If no update is available, check vendor guidance before changing nilfs2 configuration.
Validation and detection
Inventory Linux kernel versions against the affected and fixed ranges in the CVE record.
Confirm installed kernel packages include the referenced stable fix commits.
Check whether nilfs2 support is enabled or used on important hosts.
Review kernel logs for BUG_ON or end_buffer_async_write-related crashes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-26685 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.