LiveActive security incident?Get immediate response
CVE Record

CVE-2024-56780: quota: flush quota_release_work upon quota writeback

In the Linux kernel, the following vulnerability has been resolved: quota: flush quota_release_work upon quota writeback One of the paths quota writeback is called from is: freeze_super() sync_filesystem() ext4_sync_fs() dquot_writeback_dquots() Since we currently don't always flush the quota_release_work queue in this path, we can end up with the following race: 1. dquot are added to releasing_dquots list during regular operations. 2. FS Freeze starts, however, this does not flush the quota_release_work queue. 3. Freeze completes. 4. Kernel eventually tries to flush the workqueue while FS is frozen which hits a WARN_ON since transaction gets started during frozen state: ext4_journal_check_start+0x28/0x110 [ext4] (unreliable) __ext4_journal_start_sb+0x64/0x1c0 [ext4] ext4_release_dquot+0x90/0x1d0 [ext4] quota_release_workfn+0x43c/0x4d0 Which is the following line: WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE); Which ultimately results in generic/390 failing due to dmesg noise. This was detected on powerpc machine 15 cores. To avoid this, make sure to flush the workqueue during dquot_writeback_dquots() so we dont have any pending workitems after freeze.

MediumCVSS 5.5Not KEV-listedUpdated
Glexia's Takemoderate

Analyst readout for executives and security teams

Plain-English summary

This Linux kernel issue can cause a system availability problem during filesystem freeze operations. A quota cleanup task may run after the filesystem is frozen and trigger a kernel warning in ext4 journaling. The source describes a local, low-privilege, availability-only vulnerability, not data theft or remote compromise.

Executive priority

Handle through normal kernel maintenance unless the environment relies heavily on quotas and filesystem freeze operations. It is not evidenced as remotely exploitable or actively exploited, but availability impact can matter for shared servers, storage hosts, and operational platforms.

Technical view

Quota writeback can occur through freeze_super, sync_filesystem, ext4_sync_fs, and dquot_writeback_dquots. The vulnerable path did not always flush quota_release_work, allowing pending quota release work to start a transaction after SB_FREEZE_COMPLETE. The fix flushes the workqueue during dquot_writeback_dquots to avoid pending work after freeze.

Likely exposure

Exposure is most likely on Linux systems using affected kernel builds with filesystem quota handling and freeze activity. The CVSS vector is local, low complexity, low privilege, no user interaction, availability high. The provided data does not identify remote exposure, confidentiality impact, or integrity impact.

Exploitation context

The source bundle does not show KEV listing or active exploitation. Evidence points to a race found through testing, with generic/390 failing due to dmesg noise on a 15-core powerpc machine. Treat exploitation status as unconfirmed and local-only based on the provided CVSS vector.

Researcher notes

Key evidence is a kernel race between quota release work and filesystem freeze. The fix direction is workqueue flushing in dquot_writeback_dquots. Affected-version evidence in the bundle is version-list based and should be reconciled against vendor kernel package backports before declaring exposure.

Mitigation direction

  • Update Linux kernels to vendor builds containing the referenced stable quota fix.
  • Apply relevant Debian LTS kernel updates where Debian advisories match deployed releases.
  • Prioritize systems that use filesystem quotas and filesystem freeze workflows.
  • Monitor vendor advisories for distribution-specific fixed package versions.
  • Avoid treating this as remotely exploitable without new vendor evidence.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Check whether deployed kernels include one of the referenced stable commits.
  • Identify systems using quota-enabled filesystems and freeze operations.
  • Review dmesg or kernel logs for ext4_journal_check_start freeze warnings.
  • Confirm distribution advisories map to installed kernel packages.
Prepared
Confidence
medium
Sources
11

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-56780 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.5CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H1.83.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

5.5Medium
CVSS 3.1 vector shape for CVE-2024-56780Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd40c192e119892799dd4ddf94f5cea6fa93775ef, 86d89987f0998c98f57d641e308b40452a994045, 89602de9a2d7080b7a4029d5c1bf8f78d295ff5f, 3027e200dd58d5b437f16634dbbd355b29ffe0a6, dabc8b20756601b9e1cc85a81d47d3f98ed4d13a, dabc8b20756601b9e1cc85a81d47d3f98ed4d13a, dabc8b20756601b9e1cc85a81d47d3f98ed4d13a, f3e9a2bbdeb8987508dd6bb2b701dea911d4daec, 903fc5d8cb48b0d2de7095ef40e39fd32bb27bd0, 31bed65eecbc5ce57592cfe31947eaa64e3d678e, 5.4.257, 5.10.195, 5.15.132, 6.1.53, 4.19.295, 6.4.16, 6.5.3unaffected
LinuxLinux6.6, 0, 5.4.287, 5.10.231, 5.15.174, 6.1.120, 6.6.64, 6.12.4, 6.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.