CVE-2024-26741: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished(). syzkaller reported a warning [0] in inet_csk_destroy_sock() with no repro. WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash); However, the syzkaller's log hinted that connect() failed just before the warning due to FAULT_INJECTION. [1] When connect() is called for an unbound socket, we search for an available ephemeral port. If a bhash bucket exists for the port, we call __inet_check_established() or __inet6_check_established() to check if the bucket is reusable. If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num. Later, we look up the corresponding bhash2 bucket and try to allocate it if it does not exist. Although it rarely occurs in real use, if the allocation fails, we must revert the changes by check_established(). Otherwise, an unconnected socket could illegally occupy an ehash entry. Note that we do not put tw back into ehash because sk might have already responded to a packet for tw and it would be better to free tw earlier under such memory presure. [0]: WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) Modules linked in: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05 RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40 RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8 RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0 R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000 FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) dccp_close (net/dccp/proto.c:1078) inet_release (net/ipv4/af_inet.c:434) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:377) __fput_sync (fs/file_table.c:462) __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7f03e53852bb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44 RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000 R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170 </TASK> [1]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3748) kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867) inet_bind2_bucket_create ---truncated---
AI Analysis
Technical Summary
CVE-2024-26741 is a vulnerability identified in the Linux kernel's handling of socket connections, specifically within the DCCP/TCP networking stack. The issue arises during the allocation and management of ephemeral ports for unbound sockets when the kernel attempts to add a socket to the established hash table (ehash). Normally, when connect() is called on an unbound socket, the kernel searches for an available ephemeral port and checks if the corresponding hash bucket is reusable. If reusable, the socket is added to the ehash, and the socket's inet_num is set. However, if the subsequent allocation of a secondary hash bucket (bhash2) fails, the kernel must revert the changes made by check_established() to avoid leaving an unconnected socket occupying an ehash entry illegally. The vulnerability occurs because this rollback is not properly handled in rare cases where allocation fails, potentially leaving stale or invalid socket entries in the ehash. This can lead to inconsistent socket state and kernel warnings, as observed in syzkaller fuzzing logs, which reported WARN_ON triggers in inet_csk_destroy_sock(). Although exploitation in the wild is not known and the failure condition is rare, the flaw could cause resource leaks or denial of service by corrupting kernel socket state. The vulnerability was discovered through fuzz testing and fault injection, highlighting a corner case in socket lifecycle management under memory pressure or allocation failure scenarios. The patch involves ensuring proper cleanup and rollback of socket hash entries when allocation fails during connect() processing for unbound sockets.
Potential Impact
For European organizations, the impact of CVE-2024-26741 primarily revolves around potential denial of service (DoS) conditions on Linux-based systems, which are widely deployed in enterprise servers, cloud infrastructure, and network appliances. A successful exploitation could cause kernel warnings, resource leaks, or socket state corruption, potentially leading to service disruptions or degraded network functionality. This is particularly critical for organizations relying on high-availability Linux servers for web hosting, telecommunications, or critical infrastructure services. Although no known exploits exist currently, the vulnerability could be leveraged in targeted attacks to destabilize network services or cause kernel crashes under specific conditions, especially in environments with high socket connection churn or constrained memory. European entities operating large-scale Linux deployments, including cloud providers, financial institutions, and government agencies, may face increased risk if attackers develop exploits that trigger this rare allocation failure path. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can be a vector for denial of service or disruption of network communications.
Mitigation Recommendations
To mitigate CVE-2024-26741, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that all affected systems are updated promptly. 2) Monitor kernel logs for warnings related to inet_csk_destroy_sock() or unusual socket state errors that may indicate attempts to trigger this flaw. 3) Implement resource monitoring and limits to prevent memory pressure scenarios that could increase the likelihood of allocation failures during socket operations. 4) Harden network-facing services by limiting unnecessary socket creation and connection attempts, reducing the attack surface. 5) Employ kernel hardening and security modules that can detect or prevent abnormal socket lifecycle behavior. 6) For critical infrastructure, consider deploying kernel live patching solutions to minimize downtime while applying fixes. 7) Conduct regular fuzz testing and security audits on network stack components to proactively identify similar edge-case vulnerabilities. These steps go beyond generic advice by focusing on proactive detection, resource management, and rapid patch deployment tailored to this specific kernel socket management flaw.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26741: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished(). syzkaller reported a warning [0] in inet_csk_destroy_sock() with no repro. WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash); However, the syzkaller's log hinted that connect() failed just before the warning due to FAULT_INJECTION. [1] When connect() is called for an unbound socket, we search for an available ephemeral port. If a bhash bucket exists for the port, we call __inet_check_established() or __inet6_check_established() to check if the bucket is reusable. If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num. Later, we look up the corresponding bhash2 bucket and try to allocate it if it does not exist. Although it rarely occurs in real use, if the allocation fails, we must revert the changes by check_established(). Otherwise, an unconnected socket could illegally occupy an ehash entry. Note that we do not put tw back into ehash because sk might have already responded to a packet for tw and it would be better to free tw earlier under such memory presure. [0]: WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) Modules linked in: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05 RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40 RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8 RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0 R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000 FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) dccp_close (net/dccp/proto.c:1078) inet_release (net/ipv4/af_inet.c:434) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:377) __fput_sync (fs/file_table.c:462) __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7f03e53852bb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44 RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000 R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170 </TASK> [1]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3748) kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867) inet_bind2_bucket_create ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26741 is a vulnerability identified in the Linux kernel's handling of socket connections, specifically within the DCCP/TCP networking stack. The issue arises during the allocation and management of ephemeral ports for unbound sockets when the kernel attempts to add a socket to the established hash table (ehash). Normally, when connect() is called on an unbound socket, the kernel searches for an available ephemeral port and checks if the corresponding hash bucket is reusable. If reusable, the socket is added to the ehash, and the socket's inet_num is set. However, if the subsequent allocation of a secondary hash bucket (bhash2) fails, the kernel must revert the changes made by check_established() to avoid leaving an unconnected socket occupying an ehash entry illegally. The vulnerability occurs because this rollback is not properly handled in rare cases where allocation fails, potentially leaving stale or invalid socket entries in the ehash. This can lead to inconsistent socket state and kernel warnings, as observed in syzkaller fuzzing logs, which reported WARN_ON triggers in inet_csk_destroy_sock(). Although exploitation in the wild is not known and the failure condition is rare, the flaw could cause resource leaks or denial of service by corrupting kernel socket state. The vulnerability was discovered through fuzz testing and fault injection, highlighting a corner case in socket lifecycle management under memory pressure or allocation failure scenarios. The patch involves ensuring proper cleanup and rollback of socket hash entries when allocation fails during connect() processing for unbound sockets.
Potential Impact
For European organizations, the impact of CVE-2024-26741 primarily revolves around potential denial of service (DoS) conditions on Linux-based systems, which are widely deployed in enterprise servers, cloud infrastructure, and network appliances. A successful exploitation could cause kernel warnings, resource leaks, or socket state corruption, potentially leading to service disruptions or degraded network functionality. This is particularly critical for organizations relying on high-availability Linux servers for web hosting, telecommunications, or critical infrastructure services. Although no known exploits exist currently, the vulnerability could be leveraged in targeted attacks to destabilize network services or cause kernel crashes under specific conditions, especially in environments with high socket connection churn or constrained memory. European entities operating large-scale Linux deployments, including cloud providers, financial institutions, and government agencies, may face increased risk if attackers develop exploits that trigger this rare allocation failure path. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can be a vector for denial of service or disruption of network communications.
Mitigation Recommendations
To mitigate CVE-2024-26741, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that all affected systems are updated promptly. 2) Monitor kernel logs for warnings related to inet_csk_destroy_sock() or unusual socket state errors that may indicate attempts to trigger this flaw. 3) Implement resource monitoring and limits to prevent memory pressure scenarios that could increase the likelihood of allocation failures during socket operations. 4) Harden network-facing services by limiting unnecessary socket creation and connection attempts, reducing the attack surface. 5) Employ kernel hardening and security modules that can detect or prevent abnormal socket lifecycle behavior. 6) For critical infrastructure, consider deploying kernel live patching solutions to minimize downtime while applying fixes. 7) Conduct regular fuzz testing and security audits on network stack components to proactively identify similar edge-case vulnerabilities. These steps go beyond generic advice by focusing on proactive detection, resource management, and rapid patch deployment tailored to this specific kernel socket management flaw.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.167Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe39ee
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:57:51 PM
Last updated: 8/15/2025, 6:10:56 PM
Views: 19
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.