CVE-2024-26591: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.
AI Analysis
Technical Summary
CVE-2024-26591 is a vulnerability identified in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the bpf_tracing_prog_attach function. The issue arises during the re-attachment process of BPF tracing programs. The vulnerability manifests when a sequence of operations involving loading a raw tracepoint (rawtp) program, followed by loading an fentry program targeting the rawtp program, and then creating multiple tracing links for the fentry program with a target_fd of zero is performed. This sequence leads to an inconsistent internal state where critical pointers such as prog->aux->dst_trampoline, tgt_prog, and prog->aux->attach_btf become NULL. The absence of these pointers results in a NULL pointer dereference within the kernel, causing a kernel crash (BUG: kernel NULL pointer dereference). The crash occurs because the kernel attempts to access memory at an invalid address (0x58), which is indicative of dereferencing a NULL or uninitialized pointer. The root cause is the missing attach_btf information when creating the tracing link without a valid target_fd, leading to the kernel being unable to resolve the target program correctly. This vulnerability affects specific Linux kernel versions identified by the commit hash f3a95075549e0e5c36db922caf86847db7a35403. While no known exploits are reported in the wild, the vulnerability can be triggered by local users with the ability to load and attach BPF programs, potentially leading to a denial of service (DoS) via kernel crash. The vulnerability does not appear to allow privilege escalation or code execution directly but can disrupt system availability and stability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize BPF tracing features. Many enterprise and cloud environments in Europe rely on Linux for critical infrastructure, including servers, network devices, and container orchestration platforms. A successful exploitation results in a kernel crash, causing system downtime and potential service disruption. This can affect availability of critical services, especially in sectors like finance, healthcare, telecommunications, and government where Linux-based systems are prevalent. Although the vulnerability requires local access and specific BPF program loading capabilities, insider threats or compromised accounts could exploit it to cause denial of service. Additionally, environments using advanced observability or security tools that leverage BPF tracing may be more exposed. The impact extends to cloud providers and managed service providers operating in Europe, where multi-tenant environments could see broader disruption. The vulnerability does not directly compromise confidentiality or integrity but can degrade operational reliability and increase incident response costs.
Mitigation Recommendations
To mitigate CVE-2024-26591, European organizations should: 1) Apply the official Linux kernel patches that fix the bpf_tracing_prog_attach re-attachment logic as soon as they are available from trusted sources or vendor distributions. 2) Restrict the ability to load and attach BPF programs to trusted administrators only, using Linux capabilities (e.g., CAP_BPF) and seccomp filters to limit exposure. 3) Monitor kernel logs and audit BPF program loading activities to detect unusual or repeated attempts to create tracing links with invalid parameters. 4) Employ kernel live patching solutions where available to minimize downtime while applying fixes. 5) In containerized environments, ensure that container runtimes and orchestrators enforce strict security policies preventing unprivileged BPF program loading. 6) Conduct regular vulnerability scanning and compliance checks to identify vulnerable kernel versions across the infrastructure. 7) Educate system administrators about the risks associated with BPF tracing and the importance of applying updates promptly. These steps go beyond generic advice by focusing on controlling BPF program usage and monitoring specific kernel behaviors related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26591: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.
AI-Powered Analysis
Technical Analysis
CVE-2024-26591 is a vulnerability identified in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the bpf_tracing_prog_attach function. The issue arises during the re-attachment process of BPF tracing programs. The vulnerability manifests when a sequence of operations involving loading a raw tracepoint (rawtp) program, followed by loading an fentry program targeting the rawtp program, and then creating multiple tracing links for the fentry program with a target_fd of zero is performed. This sequence leads to an inconsistent internal state where critical pointers such as prog->aux->dst_trampoline, tgt_prog, and prog->aux->attach_btf become NULL. The absence of these pointers results in a NULL pointer dereference within the kernel, causing a kernel crash (BUG: kernel NULL pointer dereference). The crash occurs because the kernel attempts to access memory at an invalid address (0x58), which is indicative of dereferencing a NULL or uninitialized pointer. The root cause is the missing attach_btf information when creating the tracing link without a valid target_fd, leading to the kernel being unable to resolve the target program correctly. This vulnerability affects specific Linux kernel versions identified by the commit hash f3a95075549e0e5c36db922caf86847db7a35403. While no known exploits are reported in the wild, the vulnerability can be triggered by local users with the ability to load and attach BPF programs, potentially leading to a denial of service (DoS) via kernel crash. The vulnerability does not appear to allow privilege escalation or code execution directly but can disrupt system availability and stability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize BPF tracing features. Many enterprise and cloud environments in Europe rely on Linux for critical infrastructure, including servers, network devices, and container orchestration platforms. A successful exploitation results in a kernel crash, causing system downtime and potential service disruption. This can affect availability of critical services, especially in sectors like finance, healthcare, telecommunications, and government where Linux-based systems are prevalent. Although the vulnerability requires local access and specific BPF program loading capabilities, insider threats or compromised accounts could exploit it to cause denial of service. Additionally, environments using advanced observability or security tools that leverage BPF tracing may be more exposed. The impact extends to cloud providers and managed service providers operating in Europe, where multi-tenant environments could see broader disruption. The vulnerability does not directly compromise confidentiality or integrity but can degrade operational reliability and increase incident response costs.
Mitigation Recommendations
To mitigate CVE-2024-26591, European organizations should: 1) Apply the official Linux kernel patches that fix the bpf_tracing_prog_attach re-attachment logic as soon as they are available from trusted sources or vendor distributions. 2) Restrict the ability to load and attach BPF programs to trusted administrators only, using Linux capabilities (e.g., CAP_BPF) and seccomp filters to limit exposure. 3) Monitor kernel logs and audit BPF program loading activities to detect unusual or repeated attempts to create tracing links with invalid parameters. 4) Employ kernel live patching solutions where available to minimize downtime while applying fixes. 5) In containerized environments, ensure that container runtimes and orchestrators enforce strict security policies preventing unprivileged BPF program loading. 6) Conduct regular vulnerability scanning and compliance checks to identify vulnerable kernel versions across the infrastructure. 7) Educate system administrators about the risks associated with BPF tracing and the importance of applying updates promptly. These steps go beyond generic advice by focusing on controlling BPF program usage and monitoring specific kernel behaviors related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.126Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe40f6
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:56:42 PM
Last updated: 8/16/2025, 12:44:37 PM
Views: 12
Related Threats
CVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumCVE-2025-8364: Address bar spoofing using an blob URI on Firefox for Android in Mozilla Firefox
HighCVE-2025-8042: Sandboxed iframe could start downloads in Mozilla Firefox
HighCVE-2025-8041: Incorrect URL truncation in Firefox for Android in Mozilla Firefox
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.