CVE-2024-26865: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: rds: tcp: Fix use-after-free of net in reqsk_timer_handler(). syzkaller reported a warning of netns tracker [0] followed by KASAN splat [1] and another ref tracker warning [1]. syzkaller could not find a repro, but in the log, the only suspicious sequence was as follows: 18:26:22 executing program 1: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) ... connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT. So, the scenario would be: 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in rds_tcp_listen_init(). 2. syz-executor connect()s to it and creates a reqsk. 3. syz-executor exit()s immediately. 4. netns is dismantled. [0] 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1] 6. listener is freed after RCU grace period. [2] Basically, reqsk assumes that the listener guarantees netns safety until all reqsk timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets. Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") fixed this issue only for per-netns ehash. Let's apply the same fix for the global ehash. [0]: ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146) inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119) __sock_create (net/socket.c:1572) rds_tcp_listen_init (net/rds/tcp_listen.c:279) rds_tcp_init_net (net/rds/tcp.c:577) ops_init (net/core/net_namespace.c:137) setup_net (net/core/net_namespace.c:340) copy_net_ns (net/core/net_namespace.c:497) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3429) __x64_sys_unshare (kernel/fork.c:3496) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) ... WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) [1]: BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) Read of size 8 at addr ffff88801b370400 by task swapper/0/0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) kasan_report (mm/kasan/report.c:603) inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038) run_timer_softirq (kernel/time/timer.c:2053) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14)) </IRQ> Allocated by task 258 on cpu 0 at 83.612050s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:343) kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867) copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_name ---truncated---
AI Analysis
Technical Summary
CVE-2024-26865 is a use-after-free (UAF) vulnerability in the Linux kernel's Reliable Datagram Sockets (RDS) TCP implementation, specifically within the reqsk_timer_handler() function. The vulnerability arises due to improper reference counting and lifecycle management of network namespace (netns) resources associated with TCP listeners. The flaw was identified through syzkaller fuzzing tool warnings, which detected netns tracking issues and Kernel Address Sanitizer (KASAN) slab-use-after-free errors. The root cause involves the reqsk (request socket) structure assuming that the listener socket guarantees the safety of the netns until all reqsk timers expire by holding the listener's reference count. However, this assumption fails for kernel sockets, leading to a scenario where the reqsk timer fires after the netns has been dismantled, causing a use-after-free when freeing the reqsk. The vulnerability is triggered in a sequence where a new network namespace is created (via unshare(CLONE_NEWNET)), a per-netns TCP listener is initialized, a connection is made and immediately closed, followed by dismantling the netns. The reqsk timer then fires referencing freed memory, resulting in a UAF condition. This issue was partially addressed for per-netns ehash tables but remained unresolved for the global ehash. The fix involves applying the same cleanup logic to the global ehash to prevent premature freeing of reqsk structures. This vulnerability affects Linux kernel versions containing the affected commit hashes listed and was publicly disclosed on April 17, 2024. No known exploits are reported in the wild at this time. The vulnerability can lead to kernel crashes or potentially arbitrary code execution in kernel context if exploited, due to the UAF condition in a critical networking subsystem.
Potential Impact
For European organizations, the impact of CVE-2024-26865 can be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and network appliances. The vulnerability affects the Linux kernel's networking stack, which is foundational to most enterprise and cloud deployments. Exploitation could lead to denial of service (DoS) via kernel crashes or potentially privilege escalation and arbitrary code execution, compromising system confidentiality, integrity, and availability. This is particularly critical for data centers, telecom providers, and enterprises running containerized or virtualized workloads that utilize network namespaces extensively. The vulnerability's exploitation does not require user interaction but does require the ability to create or manipulate network namespaces and TCP connections, which may be possible in multi-tenant environments or through compromised user accounts. The absence of known exploits reduces immediate risk, but the complexity and severity warrant prompt mitigation. Disruption of critical services or breaches resulting from this vulnerability could have regulatory and reputational consequences under European data protection laws such as GDPR.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26865 as soon as they become available from trusted sources or Linux distribution vendors. 2. For environments where immediate patching is not feasible, restrict unprivileged users from creating or manipulating network namespaces and TCP listeners on port RDS_TCP_PORT (0x4001) to reduce attack surface. 3. Monitor kernel logs for unusual KASAN or ref_tracker warnings indicative of potential exploitation attempts. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Limit access to systems running vulnerable kernel versions, especially in multi-tenant or shared hosting environments, to trusted personnel only. 6. Use security modules like SELinux or AppArmor to enforce strict policies on network namespace and socket operations. 7. Regularly update and audit Linux kernel versions and configurations to ensure timely application of security patches and to detect unauthorized changes. 8. Consider network segmentation and isolation strategies to contain potential exploitation impact within limited network zones.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26865: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: rds: tcp: Fix use-after-free of net in reqsk_timer_handler(). syzkaller reported a warning of netns tracker [0] followed by KASAN splat [1] and another ref tracker warning [1]. syzkaller could not find a repro, but in the log, the only suspicious sequence was as follows: 18:26:22 executing program 1: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) ... connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT. So, the scenario would be: 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in rds_tcp_listen_init(). 2. syz-executor connect()s to it and creates a reqsk. 3. syz-executor exit()s immediately. 4. netns is dismantled. [0] 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1] 6. listener is freed after RCU grace period. [2] Basically, reqsk assumes that the listener guarantees netns safety until all reqsk timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets. Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") fixed this issue only for per-netns ehash. Let's apply the same fix for the global ehash. [0]: ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146) inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119) __sock_create (net/socket.c:1572) rds_tcp_listen_init (net/rds/tcp_listen.c:279) rds_tcp_init_net (net/rds/tcp.c:577) ops_init (net/core/net_namespace.c:137) setup_net (net/core/net_namespace.c:340) copy_net_ns (net/core/net_namespace.c:497) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3429) __x64_sys_unshare (kernel/fork.c:3496) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) ... WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) [1]: BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) Read of size 8 at addr ffff88801b370400 by task swapper/0/0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) kasan_report (mm/kasan/report.c:603) inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038) run_timer_softirq (kernel/time/timer.c:2053) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14)) </IRQ> Allocated by task 258 on cpu 0 at 83.612050s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:343) kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867) copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_name ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26865 is a use-after-free (UAF) vulnerability in the Linux kernel's Reliable Datagram Sockets (RDS) TCP implementation, specifically within the reqsk_timer_handler() function. The vulnerability arises due to improper reference counting and lifecycle management of network namespace (netns) resources associated with TCP listeners. The flaw was identified through syzkaller fuzzing tool warnings, which detected netns tracking issues and Kernel Address Sanitizer (KASAN) slab-use-after-free errors. The root cause involves the reqsk (request socket) structure assuming that the listener socket guarantees the safety of the netns until all reqsk timers expire by holding the listener's reference count. However, this assumption fails for kernel sockets, leading to a scenario where the reqsk timer fires after the netns has been dismantled, causing a use-after-free when freeing the reqsk. The vulnerability is triggered in a sequence where a new network namespace is created (via unshare(CLONE_NEWNET)), a per-netns TCP listener is initialized, a connection is made and immediately closed, followed by dismantling the netns. The reqsk timer then fires referencing freed memory, resulting in a UAF condition. This issue was partially addressed for per-netns ehash tables but remained unresolved for the global ehash. The fix involves applying the same cleanup logic to the global ehash to prevent premature freeing of reqsk structures. This vulnerability affects Linux kernel versions containing the affected commit hashes listed and was publicly disclosed on April 17, 2024. No known exploits are reported in the wild at this time. The vulnerability can lead to kernel crashes or potentially arbitrary code execution in kernel context if exploited, due to the UAF condition in a critical networking subsystem.
Potential Impact
For European organizations, the impact of CVE-2024-26865 can be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and network appliances. The vulnerability affects the Linux kernel's networking stack, which is foundational to most enterprise and cloud deployments. Exploitation could lead to denial of service (DoS) via kernel crashes or potentially privilege escalation and arbitrary code execution, compromising system confidentiality, integrity, and availability. This is particularly critical for data centers, telecom providers, and enterprises running containerized or virtualized workloads that utilize network namespaces extensively. The vulnerability's exploitation does not require user interaction but does require the ability to create or manipulate network namespaces and TCP connections, which may be possible in multi-tenant environments or through compromised user accounts. The absence of known exploits reduces immediate risk, but the complexity and severity warrant prompt mitigation. Disruption of critical services or breaches resulting from this vulnerability could have regulatory and reputational consequences under European data protection laws such as GDPR.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26865 as soon as they become available from trusted sources or Linux distribution vendors. 2. For environments where immediate patching is not feasible, restrict unprivileged users from creating or manipulating network namespaces and TCP listeners on port RDS_TCP_PORT (0x4001) to reduce attack surface. 3. Monitor kernel logs for unusual KASAN or ref_tracker warnings indicative of potential exploitation attempts. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Limit access to systems running vulnerable kernel versions, especially in multi-tenant or shared hosting environments, to trusted personnel only. 6. Use security modules like SELinux or AppArmor to enforce strict policies on network namespace and socket operations. 7. Regularly update and audit Linux kernel versions and configurations to ensure timely application of security patches and to detect unauthorized changes. 8. Consider network segmentation and isolation strategies to contain potential exploitation impact within limited network zones.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.184Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3de8
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:39:59 PM
Last updated: 7/28/2025, 3:59:23 AM
Views: 15
Related Threats
CVE-2025-8822: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8821: OS Command Injection in Linksys RE6250
MediumCVE-2025-8817: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8820: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8819: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.