LiveActive security incident?Get immediate response
CVE Record

CVE-2024-39467: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 ================================================================== BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] BUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline] BUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 Read of size 1 at addr ffff88807a58c76c by task syz-executor280/5076 CPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] current_nat_addr fs/f2fs/node.h:213 [inline] f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline] f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838 __do_sys_ioctl fs/ioctl.c:902 [inline] __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is we missed to do sanity check on i_xattr_nid during f2fs_iget(), so that in fiemap() path, current_nat_addr() will access nat_bitmap w/ offset from invalid i_xattr_nid, result in triggering kasan bug report, fix it.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-39467 is a Linux kernel F2FS filesystem bug. A missing sanity check on inode extended-attribute metadata can make the kernel read outside an expected memory area during FIEMAP handling. The source shows a syzbot/KASAN crash report, but no CVSS score, CWE, confirmed exploitation, or business impact rating.

Executive priority

Treat as a targeted kernel maintenance item, not an emergency internet-wide issue. Prioritize faster where Linux systems process removable media, disk images, mobile/storage workloads, or untrusted F2FS volumes.

Technical view

In F2FS, sanity_check_inode() did not validate i_xattr_nid during f2fs_iget(). In the fiemap path, f2fs_get_node_info() can derive an invalid NAT bitmap offset from that field, causing a slab out-of-bounds read detected by KASAN. Kernel stable commits add the missing validation.

Likely exposure

Exposure appears limited to Linux systems using or mounting F2FS filesystems. The bundle lists Linux as affected across multiple kernel branches, but does not identify distributions, appliances, or default configurations. Systems that never enable or mount F2FS are less likely to be exposed.

Exploitation context

The evidence is a syzbot-generated kernel bug report on a mounted F2FS loop device. The bundle marks KEV as false and provides no cited evidence of active exploitation, public weaponization, or remote attack paths.

Researcher notes

The source does not assign CVSS or CWE. Impact is inferred only from the reported slab out-of-bounds read and KASAN crash path, so avoid overstating confidentiality, integrity, or availability consequences without vendor confirmation.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable F2FS fixes.
  • Check your Linux distribution advisory for backported fixes and package versions.
  • Avoid mounting untrusted F2FS filesystems until patched.
  • Disable or remove F2FS support where it is not operationally required.

Validation and detection

  • Inventory Linux systems with F2FS support enabled or F2FS volumes mounted.
  • Compare running kernel builds against vendor-fixed package versions or stable fix commits.
  • Review kernel logs for F2FS, KASAN, or FIEMAP-related crash evidence.
  • Confirm patched systems can mount required F2FS volumes without regression.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-39467 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4unaffected
LinuxLinux3.8, 0, 5.4.278, 5.10.219, 5.15.161, 6.1.94, 6.6.34, 6.9.5, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.