{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-40969", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.602Z", "datePublished": "2024-07-12T12:32:08.139Z", "dateUpdated": "2026-05-11T20:23:20.947Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:23:20.947Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/super.c"], "versions": [{"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "lessThan": "1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", "status": "affected", "versionType": "git"}, {"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "lessThan": "f47ed3b284b38f235355e281f57dfa8fffcc6563", "status": "affected", "versionType": "git"}, {"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "lessThan": "3bdb7f161697e2d5123b89fe1778ef17a44858e7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/super.c"], "versions": [{"version": "3.8", "status": "affected"}, {"version": "0", "lessThan": "3.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.36", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.7", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.6.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.9.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a"}, {"url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563"}, {"url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7"}], "title": "f2fs: don't set RO when shutting down f2fs", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:56.044Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:03:00.775440Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:22.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:56.044Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:03:00.775440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:22.308Z"}}], "cna": {"title": "f2fs: don't set RO when shutting down f2fs", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "lessThan": "1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a", "versionType": "git"}, {"status": "affected", "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "lessThan": "f47ed3b284b38f235355e281f57dfa8fffcc6563", "versionType": "git"}, {"status": "affected", "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4", "lessThan": "3bdb7f161697e2d5123b89fe1778ef17a44858e7", "versionType": "git"}], "programFiles": ["fs/f2fs/super.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.8"}, {"status": "unaffected", "version": "0", "lessThan": "3.8", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.36", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.7", "versionType": "semver", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/f2fs/super.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a"}, {"url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563"}, {"url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.36", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9.7", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.10", "versionStartIncluding": "3.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:23:20.947Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40969", "state": "PUBLISHED", "dateUpdated": "2026-05-11T20:23:20.947Z", "dateReserved": "2024-07-12T12:17:45.602Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:32:08.139Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97F8F699-7041-44A4-9087-0E1FFC0543C8", "versionEndExcluding": "6.6.36", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C", "versionEndExcluding": "6.9.7", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: f2fs: no configure RO al apagar f2fs El apagado no verifica el error de thaw_super debido a solo lectura, lo que causa un punto muerto como el que se muestra a continuaci\u00f3n. f2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issues_discard_thread - bdev_freeze - frozen_super - f2fs_stop_checkpoint() - f2fs_handle_critical_error - sb_start_write - establecer RO - esperando - bdev_thaw - thaw_super_locked - devolver -EINVAL, si sb_rdonly() - card_thread -> esperar kthread_stop(discard_thread);"}], "id": "CVE-2024-40969", "lastModified": "2024-11-21T09:31:58.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-12T13:15:18.627", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1036d3ea7a32cb7cee00885c73a1f2ba7fbc499a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3bdb7f161697e2d5123b89fe1778ef17a44858e7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f47ed3b284b38f235355e281f57dfa8fffcc6563"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: f2fs: don't set RO when shutting down f2fs", "id": "2297553", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297553"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362->CWE-833", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nf2fs: don't set RO when shutting down f2fs\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n- bdev_freeze\n- freeze_super\n- f2fs_stop_checkpoint()\n- f2fs_handle_critical_error - sb_start_write\n- set RO - waiting\n- bdev_thaw\n- thaw_super_locked\n- return -EINVAL, if sb_rdonly()\n- f2fs_stop_discard_thread\n-> wait for kthread_stop(discard_thread);", "A f2fs vulnerability was found in the Linux Kernel involving a deadlock during shutdown due to a failure to check for errors from the thaw_super function. When attempting to freeze the block device and set the file system to read-only, the system hangs if the superblock is already read-only."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40969", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40969\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40969\nhttps://lore.kernel.org/linux-cve-announce/2024071228-CVE-2024-40969-6507@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate"}

{}