CVE-2024-26864: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: Fix refcnt handling in __inet_hash_connect(). syzbot reported a warning in sk_nulls_del_node_init_rcu(). The commit 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().") tried to fix an issue that an unconnected socket occupies an ehash entry when bhash2 allocation fails. In such a case, we need to revert changes done by check_established(), which does not hold refcnt when inserting socket into ehash. So, to revert the change, we need to __sk_nulls_add_node_rcu() instead of sk_nulls_add_node_rcu(). Otherwise, sock_put() will cause refcnt underflow and leak the socket. [0]: WARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Modules linked in: CPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Code: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2 RSP: 0018:ffffc900032d7848 EFLAGS: 00010246 RAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28 R10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140 R13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130 FS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139 dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956 __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678 inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f3b8167dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9 RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8 </TASK>
AI Analysis
Technical Summary
CVE-2024-26864 is a medium-severity vulnerability in the Linux kernel related to improper reference count (refcnt) handling within the TCP/IP stack, specifically in the __inet_hash_connect() function. The issue arises from a flawed fix attempt in commit 66b60b0c8c4a, which tried to address a problem where an unconnected socket could occupy an ehash entry when a secondary hash allocation (bhash2) fails. The original fix involved changes in how sockets are inserted into the ehash, but it did not properly maintain the socket's reference count, leading to a refcnt underflow. This underflow can cause socket leaks and potentially expose kernel memory or cause instability. The vulnerability was detected by syzbot, a kernel fuzzing tool, which reported warnings in sk_nulls_del_node_init_rcu(), indicating improper socket node deletion and reference counting. The root cause is that the check_established() function does not hold a reference count when inserting sockets, and the fix requires reverting to __sk_nulls_add_node_rcu() instead of sk_nulls_add_node_rcu() to properly manage the reference count. Exploitation of this vulnerability does not require privileges or user interaction, but the attack complexity is high due to the need to trigger specific kernel socket states and allocation failures. The impact is primarily on confidentiality, as improper refcnt handling could lead to information leaks from kernel memory. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, including recent 6.8.0-rc6 release candidates. No known exploits are currently reported in the wild. The CVSS v3.1 score is 5.9 (medium), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Potential Impact
For European organizations, the impact of CVE-2024-26864 could be significant in environments running Linux-based systems, especially servers and network infrastructure that handle TCP/IP connections extensively. Confidentiality breaches could occur if attackers exploit the refcnt underflow to leak sensitive kernel memory, potentially exposing cryptographic keys, credentials, or other sensitive data. This risk is heightened in multi-tenant cloud environments and virtualized infrastructures common in Europe, where kernel vulnerabilities can be leveraged to escape container or VM isolation. Although the vulnerability does not directly affect integrity or availability, the potential for information leakage could lead to further attacks or compliance violations under GDPR and other data protection regulations. The medium severity and high attack complexity suggest that exploitation is not trivial but feasible by skilled attackers targeting critical infrastructure. Organizations relying on Linux kernels with affected versions should consider the vulnerability a moderate risk, particularly in sectors such as finance, telecommunications, government, and cloud service providers prevalent in Europe.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that fix the refcnt handling in __inet_hash_connect() as soon as they are available from trusted Linux distributions or upstream sources. 2. Kernel version management: Maintain an inventory of Linux kernel versions deployed and prioritize upgrades for systems running affected versions, especially those in critical network roles. 3. Harden network exposure: Limit exposure of vulnerable systems to untrusted networks by implementing strict firewall rules and network segmentation to reduce the attack surface. 4. Monitor kernel logs: Enable detailed kernel logging and monitor for warnings or errors related to sk_nulls_del_node_init_rcu() or socket reference counting anomalies that may indicate exploitation attempts. 5. Use kernel security modules: Employ security modules such as SELinux or AppArmor with strict policies to limit the impact of kernel-level vulnerabilities. 6. Employ runtime integrity checks: Use tools that monitor kernel memory integrity and socket states to detect abnormal behavior potentially caused by exploitation. 7. Coordinate with cloud providers: For organizations using cloud infrastructure, verify that providers have applied relevant kernel patches and maintain secure kernel versions. 8. Incident response readiness: Prepare incident response plans that include kernel vulnerability exploitation scenarios and ensure teams are trained to recognize and respond to such threats.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26864: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: Fix refcnt handling in __inet_hash_connect(). syzbot reported a warning in sk_nulls_del_node_init_rcu(). The commit 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().") tried to fix an issue that an unconnected socket occupies an ehash entry when bhash2 allocation fails. In such a case, we need to revert changes done by check_established(), which does not hold refcnt when inserting socket into ehash. So, to revert the change, we need to __sk_nulls_add_node_rcu() instead of sk_nulls_add_node_rcu(). Otherwise, sock_put() will cause refcnt underflow and leak the socket. [0]: WARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Modules linked in: CPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799 Code: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2 RSP: 0018:ffffc900032d7848 EFLAGS: 00010246 RAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28 R10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140 R13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130 FS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139 dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956 __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678 inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f3b8167dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9 RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-26864 is a medium-severity vulnerability in the Linux kernel related to improper reference count (refcnt) handling within the TCP/IP stack, specifically in the __inet_hash_connect() function. The issue arises from a flawed fix attempt in commit 66b60b0c8c4a, which tried to address a problem where an unconnected socket could occupy an ehash entry when a secondary hash allocation (bhash2) fails. The original fix involved changes in how sockets are inserted into the ehash, but it did not properly maintain the socket's reference count, leading to a refcnt underflow. This underflow can cause socket leaks and potentially expose kernel memory or cause instability. The vulnerability was detected by syzbot, a kernel fuzzing tool, which reported warnings in sk_nulls_del_node_init_rcu(), indicating improper socket node deletion and reference counting. The root cause is that the check_established() function does not hold a reference count when inserting sockets, and the fix requires reverting to __sk_nulls_add_node_rcu() instead of sk_nulls_add_node_rcu() to properly manage the reference count. Exploitation of this vulnerability does not require privileges or user interaction, but the attack complexity is high due to the need to trigger specific kernel socket states and allocation failures. The impact is primarily on confidentiality, as improper refcnt handling could lead to information leaks from kernel memory. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, including recent 6.8.0-rc6 release candidates. No known exploits are currently reported in the wild. The CVSS v3.1 score is 5.9 (medium), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Potential Impact
For European organizations, the impact of CVE-2024-26864 could be significant in environments running Linux-based systems, especially servers and network infrastructure that handle TCP/IP connections extensively. Confidentiality breaches could occur if attackers exploit the refcnt underflow to leak sensitive kernel memory, potentially exposing cryptographic keys, credentials, or other sensitive data. This risk is heightened in multi-tenant cloud environments and virtualized infrastructures common in Europe, where kernel vulnerabilities can be leveraged to escape container or VM isolation. Although the vulnerability does not directly affect integrity or availability, the potential for information leakage could lead to further attacks or compliance violations under GDPR and other data protection regulations. The medium severity and high attack complexity suggest that exploitation is not trivial but feasible by skilled attackers targeting critical infrastructure. Organizations relying on Linux kernels with affected versions should consider the vulnerability a moderate risk, particularly in sectors such as finance, telecommunications, government, and cloud service providers prevalent in Europe.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that fix the refcnt handling in __inet_hash_connect() as soon as they are available from trusted Linux distributions or upstream sources. 2. Kernel version management: Maintain an inventory of Linux kernel versions deployed and prioritize upgrades for systems running affected versions, especially those in critical network roles. 3. Harden network exposure: Limit exposure of vulnerable systems to untrusted networks by implementing strict firewall rules and network segmentation to reduce the attack surface. 4. Monitor kernel logs: Enable detailed kernel logging and monitor for warnings or errors related to sk_nulls_del_node_init_rcu() or socket reference counting anomalies that may indicate exploitation attempts. 5. Use kernel security modules: Employ security modules such as SELinux or AppArmor with strict policies to limit the impact of kernel-level vulnerabilities. 6. Employ runtime integrity checks: Use tools that monitor kernel memory integrity and socket states to detect abnormal behavior potentially caused by exploitation. 7. Coordinate with cloud providers: For organizations using cloud infrastructure, verify that providers have applied relevant kernel patches and maintain secure kernel versions. 8. Incident response readiness: Prepare incident response plans that include kernel vulnerability exploitation scenarios and ensure teams are trained to recognize and respond to such threats.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.184Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3de4
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:39:47 PM
Last updated: 7/26/2025, 10:49:44 PM
Views: 11
Related Threats
CVE-2025-55171: CWE-287: Improper Authentication in LabRedesCefetRJ WeGIA
HighCVE-2025-55170: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumCVE-2025-49569: Out-of-bounds Write (CWE-787) in Adobe Substance3D - Viewer
HighCVE-2025-49560: Heap-based Buffer Overflow (CWE-122) in Adobe Substance3D - Viewer
HighCVE-2025-36000: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM WebSphere Application Server Liberty
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.