CVE-2024-26737: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.
AI Analysis
Technical Summary
CVE-2024-26737 is a medium-severity vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem's timer management. Specifically, it involves a race condition between two functions: bpf_timer_cancel_and_free and bpf_timer_cancel. The race occurs because these functions manipulate the same timer object without proper synchronization, leading to a use-after-free (UAF) condition on the timer->timer pointer. The vulnerability arises when bpf_timer_cancel_and_free frees the timer object after a Read-Copy-Update (RCU) grace period, but bpf_timer_cancel accesses the timer->timer pointer outside of a spinlock-protected critical section and without RCU read locking. This improper synchronization can cause the timer->timer pointer to be dereferenced after it has been freed, potentially leading to kernel crashes or arbitrary code execution in kernel context. The patch for this vulnerability introduces RCU read locks in bpf_timer_cancel to ensure safe access to timer->timer outside spinlocks, and defers freeing the timer object until after the RCU grace period in bpf_timer_cancel_and_free. This fix prevents the UAF by ensuring that no references to the timer exist when it is freed. The vulnerability affects Linux kernel versions containing the vulnerable commit b00628b1c7d595ae5b544e059c27b1f5828314b4 and similar. Exploitation requires local privileges with at least limited permissions (PR:L) and does not require user interaction. The CVSS v3.1 score is 5.5 (medium), reflecting the local attack vector, low complexity, and impact limited to availability (kernel crashes). No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing BPF programs for networking, monitoring, or security purposes. Successful exploitation could lead to denial of service via kernel crashes or potentially privilege escalation if combined with other vulnerabilities, impacting system availability and stability. Critical infrastructure, cloud providers, and enterprises relying on Linux servers for networking or container orchestration could face service disruptions. Since BPF is widely used in modern Linux distributions common in Europe, including Ubuntu, Debian, Red Hat, and SUSE, the vulnerability could affect a broad range of servers and embedded devices. However, exploitation requires local access with some privileges, limiting remote attack risks but increasing concerns for multi-tenant environments or compromised user accounts. The vulnerability could also impact security monitoring tools that rely on BPF, potentially degrading incident response capabilities if exploited.
Mitigation Recommendations
European organizations should promptly apply Linux kernel updates that include the patch for CVE-2024-26737. Specifically, they should upgrade to kernel versions where the race condition between bpf_timer_cancel_and_free and bpf_timer_cancel is resolved by proper RCU synchronization. For environments where immediate patching is challenging, organizations should restrict local access to systems running vulnerable kernels, enforce strict privilege separation, and monitor for unusual kernel crashes or suspicious BPF activity. Additionally, auditing and limiting the use of custom or third-party BPF programs can reduce attack surface. Employing kernel live patching solutions where available can help mitigate risk without downtime. Security teams should also review container and orchestration platforms to ensure underlying host kernels are patched, as container escapes could leverage this vulnerability. Finally, integrating kernel crash monitoring and alerting can facilitate rapid detection of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26737: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.
AI-Powered Analysis
Technical Analysis
CVE-2024-26737 is a medium-severity vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem's timer management. Specifically, it involves a race condition between two functions: bpf_timer_cancel_and_free and bpf_timer_cancel. The race occurs because these functions manipulate the same timer object without proper synchronization, leading to a use-after-free (UAF) condition on the timer->timer pointer. The vulnerability arises when bpf_timer_cancel_and_free frees the timer object after a Read-Copy-Update (RCU) grace period, but bpf_timer_cancel accesses the timer->timer pointer outside of a spinlock-protected critical section and without RCU read locking. This improper synchronization can cause the timer->timer pointer to be dereferenced after it has been freed, potentially leading to kernel crashes or arbitrary code execution in kernel context. The patch for this vulnerability introduces RCU read locks in bpf_timer_cancel to ensure safe access to timer->timer outside spinlocks, and defers freeing the timer object until after the RCU grace period in bpf_timer_cancel_and_free. This fix prevents the UAF by ensuring that no references to the timer exist when it is freed. The vulnerability affects Linux kernel versions containing the vulnerable commit b00628b1c7d595ae5b544e059c27b1f5828314b4 and similar. Exploitation requires local privileges with at least limited permissions (PR:L) and does not require user interaction. The CVSS v3.1 score is 5.5 (medium), reflecting the local attack vector, low complexity, and impact limited to availability (kernel crashes). No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing BPF programs for networking, monitoring, or security purposes. Successful exploitation could lead to denial of service via kernel crashes or potentially privilege escalation if combined with other vulnerabilities, impacting system availability and stability. Critical infrastructure, cloud providers, and enterprises relying on Linux servers for networking or container orchestration could face service disruptions. Since BPF is widely used in modern Linux distributions common in Europe, including Ubuntu, Debian, Red Hat, and SUSE, the vulnerability could affect a broad range of servers and embedded devices. However, exploitation requires local access with some privileges, limiting remote attack risks but increasing concerns for multi-tenant environments or compromised user accounts. The vulnerability could also impact security monitoring tools that rely on BPF, potentially degrading incident response capabilities if exploited.
Mitigation Recommendations
European organizations should promptly apply Linux kernel updates that include the patch for CVE-2024-26737. Specifically, they should upgrade to kernel versions where the race condition between bpf_timer_cancel_and_free and bpf_timer_cancel is resolved by proper RCU synchronization. For environments where immediate patching is challenging, organizations should restrict local access to systems running vulnerable kernels, enforce strict privilege separation, and monitor for unusual kernel crashes or suspicious BPF activity. Additionally, auditing and limiting the use of custom or third-party BPF programs can reduce attack surface. Employing kernel live patching solutions where available can help mitigate risk without downtime. Security teams should also review container and orchestration platforms to ensure underlying host kernels are patched, as container escapes could leverage this vulnerability. Finally, integrating kernel crash monitoring and alerting can facilitate rapid detection of exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.166Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe39cd
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:57:12 PM
Last updated: 8/15/2025, 10:42:56 AM
Views: 17
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.