CVE-2024-26782: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b </TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---
AI Analysis
Technical Summary
CVE-2024-26782 is a vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically related to the handling of socket dismantling. When an MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to the 'inet_opt' structure for the new socket is not properly duplicated and instead shares the same memory reference as the original socket. This leads to a double-free condition during socket teardown, as both sockets attempt to free the same memory region. The vulnerability manifests as a kernel memory corruption issue, detected by Kernel Address Sanitizer (KASAN) as a double-free in the inet_sock_destruct function. The detailed kernel stack trace shows that the double-free occurs during socket destruction and involves multiple kernel functions related to socket lifecycle management and TCP cleanup. The affected Linux kernel versions include those identified by the commit hash cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be, indicating a specific patch or code state. This flaw can cause kernel crashes (BUG splats), leading to denial of service (DoS) conditions. Although no known exploits are currently reported in the wild, the vulnerability is critical because it involves kernel memory corruption, which could potentially be leveraged for privilege escalation or arbitrary code execution if combined with other vulnerabilities or attack vectors. The issue does not require user interaction but does require the system to be running MPTCP with server socket cloning, which is common in modern Linux kernels used in servers and network appliances. The vulnerability was publicly disclosed on April 4, 2024, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and network infrastructure running Linux kernels with MPTCP enabled. Many European enterprises, cloud providers, and telecom operators rely on Linux-based systems for critical services, including web hosting, telecommunications, and cloud infrastructure. Exploitation could lead to kernel crashes causing service outages, impacting availability of critical services. In worst-case scenarios, attackers might chain this vulnerability with others to gain elevated privileges or execute arbitrary code at the kernel level, compromising confidentiality and integrity of sensitive data. Given the widespread use of Linux in European data centers and telecom networks, the vulnerability could disrupt business operations, especially in sectors like finance, healthcare, and government where uptime and data integrity are paramount. Additionally, the vulnerability could be exploited in multi-tenant cloud environments, affecting multiple customers. The lack of known exploits currently reduces immediate risk, but the potential for future exploitation necessitates prompt mitigation.
Mitigation Recommendations
European organizations should immediately assess their Linux kernel versions and configurations to determine exposure to this vulnerability. Specific mitigation steps include: 1) Applying the official Linux kernel patches that fix the double-free issue in the MPTCP socket handling code as soon as they become available from trusted sources or vendor distributions. 2) Temporarily disabling MPTCP functionality on affected systems if patching is not immediately feasible, especially on servers exposed to untrusted networks. 3) Implementing strict network segmentation and firewall rules to limit exposure of MPTCP-enabled services to trusted clients only. 4) Monitoring kernel logs and system behavior for signs of crashes or anomalies related to socket handling. 5) Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 6) Coordinating with Linux distribution vendors for timely updates and advisories. 7) For cloud providers, isolating workloads and applying micro-segmentation to reduce blast radius in case of exploitation. These measures go beyond generic advice by focusing on MPTCP-specific configurations and kernel patch management.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26782: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b </TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26782 is a vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically related to the handling of socket dismantling. When an MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to the 'inet_opt' structure for the new socket is not properly duplicated and instead shares the same memory reference as the original socket. This leads to a double-free condition during socket teardown, as both sockets attempt to free the same memory region. The vulnerability manifests as a kernel memory corruption issue, detected by Kernel Address Sanitizer (KASAN) as a double-free in the inet_sock_destruct function. The detailed kernel stack trace shows that the double-free occurs during socket destruction and involves multiple kernel functions related to socket lifecycle management and TCP cleanup. The affected Linux kernel versions include those identified by the commit hash cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be, indicating a specific patch or code state. This flaw can cause kernel crashes (BUG splats), leading to denial of service (DoS) conditions. Although no known exploits are currently reported in the wild, the vulnerability is critical because it involves kernel memory corruption, which could potentially be leveraged for privilege escalation or arbitrary code execution if combined with other vulnerabilities or attack vectors. The issue does not require user interaction but does require the system to be running MPTCP with server socket cloning, which is common in modern Linux kernels used in servers and network appliances. The vulnerability was publicly disclosed on April 4, 2024, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and network infrastructure running Linux kernels with MPTCP enabled. Many European enterprises, cloud providers, and telecom operators rely on Linux-based systems for critical services, including web hosting, telecommunications, and cloud infrastructure. Exploitation could lead to kernel crashes causing service outages, impacting availability of critical services. In worst-case scenarios, attackers might chain this vulnerability with others to gain elevated privileges or execute arbitrary code at the kernel level, compromising confidentiality and integrity of sensitive data. Given the widespread use of Linux in European data centers and telecom networks, the vulnerability could disrupt business operations, especially in sectors like finance, healthcare, and government where uptime and data integrity are paramount. Additionally, the vulnerability could be exploited in multi-tenant cloud environments, affecting multiple customers. The lack of known exploits currently reduces immediate risk, but the potential for future exploitation necessitates prompt mitigation.
Mitigation Recommendations
European organizations should immediately assess their Linux kernel versions and configurations to determine exposure to this vulnerability. Specific mitigation steps include: 1) Applying the official Linux kernel patches that fix the double-free issue in the MPTCP socket handling code as soon as they become available from trusted sources or vendor distributions. 2) Temporarily disabling MPTCP functionality on affected systems if patching is not immediately feasible, especially on servers exposed to untrusted networks. 3) Implementing strict network segmentation and firewall rules to limit exposure of MPTCP-enabled services to trusted clients only. 4) Monitoring kernel logs and system behavior for signs of crashes or anomalies related to socket handling. 5) Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 6) Coordinating with Linux distribution vendors for timely updates and advisories. 7) For cloud providers, isolating workloads and applying micro-segmentation to reduce blast radius in case of exploitation. These measures go beyond generic advice by focusing on MPTCP-specific configurations and kernel patch management.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.177Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3b8a
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 6:40:32 PM
Last updated: 8/17/2025, 7:25:45 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.