CVE-2024-26740: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: use the backlog for mirred ingress The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress") hangs our testing VMs every 10 or so runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by lockdep. The problem as previously described by Davide (see Link) is that if we reverse flow of traffic with the redirect (egress -> ingress) we may reach the same socket which generated the packet. And we may still be holding its socket lock. The common solution to such deadlocks is to put the packet in the Rx backlog, rather than run the Rx path inline. Do that for all egress -> ingress reversals, not just once we started to nest mirred calls. In the past there was a concern that the backlog indirection will lead to loss of error reporting / less accurate stats. But the current workaround does not seem to address the issue.
AI Analysis
Technical Summary
CVE-2024-26740 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the net/sched module's act_mirred functionality. The act_mirred (action mirroring/redirecting) feature is used to redirect network packets from one interface to another, often employed in advanced networking setups such as traffic mirroring, network virtualization, or container networking. The vulnerability arises when traffic flow is reversed from egress to ingress, causing the kernel to potentially re-enter the same socket that originally generated the packet while still holding its socket lock. This situation leads to a deadlock condition, as detected by the kernel's lock dependency checker (lockdep), notably manifesting as a tcp_v4_rcv -> tcp_v4_rcv deadlock. The root cause is that the packet processing path attempts to handle the redirected packet inline, causing nested calls that deadlock due to lock contention on the socket. The fix implemented involves using the receive backlog queue to defer processing of such packets instead of handling them inline. This backlog indirection prevents the deadlock by breaking the recursive locking scenario. However, this workaround may reduce the accuracy of error reporting and network statistics, as packets are queued rather than processed immediately. The vulnerability affects Linux kernel versions identified by the commit hash 53592b3640019f2834701093e38272fdfd367ad8 and was published on April 3, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The issue is technical and subtle, primarily impacting systems using advanced network packet redirection features that reverse traffic flow, such as complex firewall, container, or virtualization environments.
Potential Impact
For European organizations, the impact of CVE-2024-26740 depends largely on their use of Linux-based infrastructure with advanced networking configurations. Enterprises and service providers running Linux servers with network packet mirroring, redirection, or containerized environments (e.g., Kubernetes with CNI plugins that use mirred) could experience system hangs or deadlocks leading to denial of service (DoS) conditions. This can disrupt critical network functions, degrade service availability, and potentially cause outages in data centers or cloud environments. The deadlock affects TCP packet reception, which may impact network throughput and reliability. While the vulnerability does not appear to allow privilege escalation or remote code execution, the availability impact on network services can be significant, especially in high-availability or real-time systems. European organizations relying on Linux for telecommunications, financial services, or critical infrastructure may face operational risks if unpatched. The lack of known exploits reduces immediate risk, but the complexity of the issue means that unnoticed deadlocks could cause intermittent failures that are difficult to diagnose. Additionally, the workaround's impact on error reporting and statistics may hinder network monitoring and incident response capabilities.
Mitigation Recommendations
To mitigate CVE-2024-26740, European organizations should: 1) Apply the official Linux kernel patches that implement the backlog queue handling for mirred ingress redirection as soon as they become available from trusted Linux distributions or kernel maintainers. 2) Review and audit network configurations that use act_mirred or similar packet redirection features, especially those reversing traffic flow from egress to ingress, to identify and minimize complex nested mirred calls. 3) Implement robust monitoring to detect signs of deadlocks or network stalls, including kernel lockdep warnings and TCP receive path anomalies. 4) Test network workloads in staging environments with the patched kernel to ensure stability and verify that the backlog workaround does not adversely affect performance or error reporting beyond acceptable limits. 5) Consider fallback or alternative network redirection mechanisms if the mirred backlog approach impacts critical error visibility. 6) Maintain up-to-date kernel versions and subscribe to Linux kernel security advisories to promptly respond to any emerging exploit reports or additional fixes. 7) For containerized environments, ensure CNI plugins and orchestration tools are compatible with the patched kernel behavior to avoid cascading network issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26740: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: use the backlog for mirred ingress The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress") hangs our testing VMs every 10 or so runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by lockdep. The problem as previously described by Davide (see Link) is that if we reverse flow of traffic with the redirect (egress -> ingress) we may reach the same socket which generated the packet. And we may still be holding its socket lock. The common solution to such deadlocks is to put the packet in the Rx backlog, rather than run the Rx path inline. Do that for all egress -> ingress reversals, not just once we started to nest mirred calls. In the past there was a concern that the backlog indirection will lead to loss of error reporting / less accurate stats. But the current workaround does not seem to address the issue.
AI-Powered Analysis
Technical Analysis
CVE-2024-26740 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the net/sched module's act_mirred functionality. The act_mirred (action mirroring/redirecting) feature is used to redirect network packets from one interface to another, often employed in advanced networking setups such as traffic mirroring, network virtualization, or container networking. The vulnerability arises when traffic flow is reversed from egress to ingress, causing the kernel to potentially re-enter the same socket that originally generated the packet while still holding its socket lock. This situation leads to a deadlock condition, as detected by the kernel's lock dependency checker (lockdep), notably manifesting as a tcp_v4_rcv -> tcp_v4_rcv deadlock. The root cause is that the packet processing path attempts to handle the redirected packet inline, causing nested calls that deadlock due to lock contention on the socket. The fix implemented involves using the receive backlog queue to defer processing of such packets instead of handling them inline. This backlog indirection prevents the deadlock by breaking the recursive locking scenario. However, this workaround may reduce the accuracy of error reporting and network statistics, as packets are queued rather than processed immediately. The vulnerability affects Linux kernel versions identified by the commit hash 53592b3640019f2834701093e38272fdfd367ad8 and was published on April 3, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The issue is technical and subtle, primarily impacting systems using advanced network packet redirection features that reverse traffic flow, such as complex firewall, container, or virtualization environments.
Potential Impact
For European organizations, the impact of CVE-2024-26740 depends largely on their use of Linux-based infrastructure with advanced networking configurations. Enterprises and service providers running Linux servers with network packet mirroring, redirection, or containerized environments (e.g., Kubernetes with CNI plugins that use mirred) could experience system hangs or deadlocks leading to denial of service (DoS) conditions. This can disrupt critical network functions, degrade service availability, and potentially cause outages in data centers or cloud environments. The deadlock affects TCP packet reception, which may impact network throughput and reliability. While the vulnerability does not appear to allow privilege escalation or remote code execution, the availability impact on network services can be significant, especially in high-availability or real-time systems. European organizations relying on Linux for telecommunications, financial services, or critical infrastructure may face operational risks if unpatched. The lack of known exploits reduces immediate risk, but the complexity of the issue means that unnoticed deadlocks could cause intermittent failures that are difficult to diagnose. Additionally, the workaround's impact on error reporting and statistics may hinder network monitoring and incident response capabilities.
Mitigation Recommendations
To mitigate CVE-2024-26740, European organizations should: 1) Apply the official Linux kernel patches that implement the backlog queue handling for mirred ingress redirection as soon as they become available from trusted Linux distributions or kernel maintainers. 2) Review and audit network configurations that use act_mirred or similar packet redirection features, especially those reversing traffic flow from egress to ingress, to identify and minimize complex nested mirred calls. 3) Implement robust monitoring to detect signs of deadlocks or network stalls, including kernel lockdep warnings and TCP receive path anomalies. 4) Test network workloads in staging environments with the patched kernel to ensure stability and verify that the backlog workaround does not adversely affect performance or error reporting beyond acceptable limits. 5) Consider fallback or alternative network redirection mechanisms if the mirred backlog approach impacts critical error visibility. 6) Maintain up-to-date kernel versions and subscribe to Linux kernel security advisories to promptly respond to any emerging exploit reports or additional fixes. 7) For containerized environments, ensure CNI plugins and orchestration tools are compatible with the patched kernel behavior to avoid cascading network issues.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.166Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe39e6
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:57:39 PM
Last updated: 8/13/2025, 6:47:00 AM
Views: 14
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.