LiveActive security incident?Get immediate response
CVE Record

CVE-2024-40971: f2fs: remove clear SB_INLINECRYPT flag in default_options

In the Linux kernel, the following vulnerability has been resolved: f2fs: remove clear SB_INLINECRYPT flag in default_options In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set. If create new file or open file during this gap, these files will not use inlinecrypt. Worse case, it may lead to data corruption if wrappedkey_v0 is enable. Thread A: Thread B: -f2fs_remount -f2fs_file_open or f2fs_new_inode -default_options <- clear SB_INLINECRYPT flag -fscrypt_select_encryption_impl -parse_options <- set SB_INLINECRYPT again

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw affects F2FS inline encryption handling during remount. A timing gap can cause newly opened or created files to skip inline encryption, with reported worst-case data corruption when wrappedkey_v0 is enabled.

Executive priority

Treat this as a targeted kernel maintenance item, not an internet-wide emergency. Prioritize patching where F2FS inline encryption protects business or device data, because the stated worst case is data corruption.

Technical view

In f2fs_remount, default_options clears SB_INLINECRYPT before parse_options sets it again. Concurrent f2fs_file_open or f2fs_new_inode can call fscrypt_select_encryption_impl during that gap and select the wrong encryption implementation.

Likely exposure

Exposure appears limited to Linux systems using F2FS with inline encryption, especially environments enabling wrappedkey_v0 and performing remounts while file activity continues. General Linux systems not using F2FS inline encryption are less likely exposed.

Exploitation context

The source bundle does not show KEV listing or active exploitation. The issue is a race condition during remount, not a described remote attack path. Practical risk is operational integrity and encryption consistency.

Researcher notes

The record lacks CVSS, CWE, and detailed exploitability evidence. Analysis should focus on confirming reachable f2fs_remount paths, SB_INLINECRYPT state transitions, fscrypt selection behavior, and whether vendor kernels backported the stable patches.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable F2FS fixes.
  • Use distribution or device-vendor advisories for exact package versions.
  • Prioritize systems using F2FS inline encryption or wrappedkey_v0.
  • Avoid unnecessary remount activity on affected F2FS systems until patched.
  • Check Debian LTS and Siemens advisories where those platforms apply.

Validation and detection

  • Inventory Linux hosts and embedded devices using F2FS filesystems.
  • Check whether inline encryption and wrappedkey_v0 are enabled.
  • Confirm running kernels include the referenced stable commits or vendor backports.
  • Review remount workflows that occur while applications create or open files.
  • Monitor vendor advisories for final affected and fixed version mappings.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-40971 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4unaffected
LinuxLinux3.8, 0, 5.10.221, 5.15.162, 6.1.96, 6.6.36, 6.9.7, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.