CVE-2024-26589: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited".
AI Analysis
Technical Summary
CVE-2024-26589 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the handling of pointer arithmetic on flow_keys pointers within BPF programs. The vulnerability arises because the kernel's validation function check_flow_keys_access() only validates fixed offsets for PTR_TO_FLOW_KEYS pointer types but does not prohibit variable offset pointer arithmetic (alu operations) on these pointers. This oversight allows a crafted BPF program to perform variable offset pointer arithmetic on flow_keys pointers, leading to out-of-bounds memory access. The example BPF program demonstrates loading a flow_keys pointer into a register, adding a variable offset, and then dereferencing the resulting pointer, which can cause a page fault and kernel crash. The root cause is that variable offsets are not checked or restricted for PTR_TO_FLOW_KEYS pointers, enabling potential memory corruption or denial of service. The patch for this vulnerability enforces rejection of BPF programs that perform pointer arithmetic with variable offsets on flow_keys pointers, preventing exploitation by rejecting such programs at load time. This vulnerability affects Linux kernel versions prior to the patch and is relevant to any system running vulnerable kernel versions with eBPF enabled. Although no known exploits are currently in the wild, the vulnerability could be leveraged by attackers with the ability to load BPF programs (typically requiring privileged access or specific capabilities) to cause kernel crashes or potentially escalate privileges via memory corruption. The vulnerability does not have a CVSS score assigned yet but is recognized and published by the Linux project and CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with eBPF enabled, which is common in modern Linux distributions used in servers, cloud infrastructure, and network appliances. The impact includes potential denial of service through kernel crashes triggered by malicious or malformed BPF programs. In environments where untrusted users or containers have the ability to load BPF programs, this could be exploited to disrupt critical services or potentially escalate privileges if combined with other vulnerabilities. Given the widespread use of Linux in European data centers, cloud providers, telecom infrastructure, and embedded devices, exploitation could affect availability and operational continuity. Confidentiality and integrity impacts are less certain but cannot be ruled out if memory corruption leads to privilege escalation. The threat is particularly relevant for organizations relying on Linux-based network functions, security monitoring tools, or container orchestration platforms that utilize eBPF for performance and observability. The lack of known exploits in the wild reduces immediate risk, but the technical nature of the vulnerability and its presence in the kernel make it a significant concern for infrastructure stability and security.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch rejecting variable offset pointer arithmetic on flow_keys pointers. Kernel updates should be applied promptly, especially on systems exposed to untrusted users or running multi-tenant workloads. Additionally, organizations should audit and restrict the ability to load BPF programs to trusted users only, leveraging Linux capabilities and security modules (e.g., SELinux, AppArmor) to limit BPF program loading privileges. Monitoring kernel logs for BPF-related errors or crashes can help detect attempted exploitation. For containerized environments, ensure container runtimes and orchestration platforms enforce strict security policies around BPF usage. Network and security teams should review any custom or third-party BPF programs for compliance with the new restrictions. Finally, organizations should maintain an inventory of Linux kernel versions in use and implement automated patch management to reduce exposure windows.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26589: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited".
AI-Powered Analysis
Technical Analysis
CVE-2024-26589 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the handling of pointer arithmetic on flow_keys pointers within BPF programs. The vulnerability arises because the kernel's validation function check_flow_keys_access() only validates fixed offsets for PTR_TO_FLOW_KEYS pointer types but does not prohibit variable offset pointer arithmetic (alu operations) on these pointers. This oversight allows a crafted BPF program to perform variable offset pointer arithmetic on flow_keys pointers, leading to out-of-bounds memory access. The example BPF program demonstrates loading a flow_keys pointer into a register, adding a variable offset, and then dereferencing the resulting pointer, which can cause a page fault and kernel crash. The root cause is that variable offsets are not checked or restricted for PTR_TO_FLOW_KEYS pointers, enabling potential memory corruption or denial of service. The patch for this vulnerability enforces rejection of BPF programs that perform pointer arithmetic with variable offsets on flow_keys pointers, preventing exploitation by rejecting such programs at load time. This vulnerability affects Linux kernel versions prior to the patch and is relevant to any system running vulnerable kernel versions with eBPF enabled. Although no known exploits are currently in the wild, the vulnerability could be leveraged by attackers with the ability to load BPF programs (typically requiring privileged access or specific capabilities) to cause kernel crashes or potentially escalate privileges via memory corruption. The vulnerability does not have a CVSS score assigned yet but is recognized and published by the Linux project and CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with eBPF enabled, which is common in modern Linux distributions used in servers, cloud infrastructure, and network appliances. The impact includes potential denial of service through kernel crashes triggered by malicious or malformed BPF programs. In environments where untrusted users or containers have the ability to load BPF programs, this could be exploited to disrupt critical services or potentially escalate privileges if combined with other vulnerabilities. Given the widespread use of Linux in European data centers, cloud providers, telecom infrastructure, and embedded devices, exploitation could affect availability and operational continuity. Confidentiality and integrity impacts are less certain but cannot be ruled out if memory corruption leads to privilege escalation. The threat is particularly relevant for organizations relying on Linux-based network functions, security monitoring tools, or container orchestration platforms that utilize eBPF for performance and observability. The lack of known exploits in the wild reduces immediate risk, but the technical nature of the vulnerability and its presence in the kernel make it a significant concern for infrastructure stability and security.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch rejecting variable offset pointer arithmetic on flow_keys pointers. Kernel updates should be applied promptly, especially on systems exposed to untrusted users or running multi-tenant workloads. Additionally, organizations should audit and restrict the ability to load BPF programs to trusted users only, leveraging Linux capabilities and security modules (e.g., SELinux, AppArmor) to limit BPF program loading privileges. Monitoring kernel logs for BPF-related errors or crashes can help detect attempted exploitation. For containerized environments, ensure container runtimes and orchestration platforms enforce strict security policies around BPF usage. Network and security teams should review any custom or third-party BPF programs for compliance with the new restrictions. Finally, organizations should maintain an inventory of Linux kernel versions in use and implement automated patch management to reduce exposure windows.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.126Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe40dd
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:56:20 PM
Last updated: 7/26/2025, 6:00:49 AM
Views: 8
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.