CVE-2024-26951: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wireguard: netlink: check for dangling peer via is_dead instead of empty list If all peers are removed via wg_peer_remove_all(), rather than setting peer_list to empty, the peer is added to a temporary list with a head on the stack of wg_peer_remove_all(). If a netlink dump is resumed and the cursored peer is one that has been removed via wg_peer_remove_all(), it will iterate from that peer and then attempt to dump freed peers. Fix this by instead checking peer->is_dead, which was explictly created for this purpose. Also move up the device_update_lock lockdep assertion, since reading is_dead relies on that. It can be reproduced by a small script like: echo "Setting config..." ip link add dev wg0 type wireguard wg setconf wg0 /big-config ( while true; do echo "Showing config..." wg showconf wg0 > /dev/null done ) & sleep 4 wg setconf wg0 <(printf "[Peer]\nPublicKey=$(wg genkey)\n") Resulting in: BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20 Read of size 8 at addr ffff88811956ec70 by task wg/59 CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5 Call Trace: <TASK> dump_stack_lvl+0x47/0x70 print_address_description.constprop.0+0x2c/0x380 print_report+0xab/0x250 kasan_report+0xba/0xf0 __lock_acquire+0x182a/0x1b20 lock_acquire+0x191/0x4b0 down_read+0x80/0x440 get_peer+0x140/0xcb0 wg_get_device_dump+0x471/0x1130
AI Analysis
Technical Summary
CVE-2024-26951 is a use-after-free vulnerability in the WireGuard implementation within the Linux kernel. WireGuard is a modern VPN protocol integrated into the Linux kernel to provide secure network tunneling. The vulnerability arises from improper handling of peer removal in the netlink interface used for configuration and status queries. Specifically, when all peers are removed using the wg_peer_remove_all() function, instead of clearing the peer_list, the peers are moved to a temporary list on the stack. If a netlink dump operation is resumed and the cursor points to a peer that has been removed, the kernel attempts to iterate over and dump information from freed peer structures. This leads to a use-after-free condition, which can cause kernel memory corruption and potentially trigger a kernel panic or allow escalation of privileges. The root cause is that the code checks for an empty list to determine if peers are dangling, rather than using the is_dead flag explicitly designed to mark removed peers. The fix involves changing the check to use peer->is_dead and adjusting lock assertions to ensure thread safety when reading this flag. The vulnerability can be reproduced by rapidly setting and showing WireGuard configurations, causing concurrent access to freed peer objects. The kernel's KASAN (Kernel Address Sanitizer) detects this as a slab-use-after-free error during lock acquisition. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. This vulnerability affects Linux kernel versions containing the vulnerable WireGuard code prior to the patch.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux servers and infrastructure that use WireGuard for VPN connectivity. WireGuard is increasingly popular due to its performance and security benefits, and many enterprises, cloud providers, and telecom operators in Europe deploy it for secure remote access and site-to-site VPNs. Exploitation of this vulnerability could lead to kernel crashes causing denial of service or potentially privilege escalation if an attacker can manipulate the netlink interface or trigger the use-after-free condition. This could disrupt critical services, impact availability, and compromise the integrity of network security controls. Given the kernel-level nature of the bug, successful exploitation could allow attackers to bypass security mechanisms or execute arbitrary code with kernel privileges. The impact is heightened in environments with automated configuration management or monitoring tools that frequently query WireGuard status, increasing the likelihood of triggering the bug. Although no active exploits are known, the vulnerability’s presence in a widely used kernel component means European organizations should prioritize patching to maintain operational security and compliance with data protection regulations.
Mitigation Recommendations
European organizations should immediately update their Linux kernels to versions where this vulnerability is patched. Since the vulnerability is in the WireGuard kernel module, updating to the latest stable Linux kernel releases that include the fix is critical. If immediate kernel upgrades are not feasible, organizations should consider temporarily disabling WireGuard interfaces or limiting netlink access to trusted users and processes to reduce the attack surface. Monitoring system logs for KASAN or kernel warnings related to WireGuard can help detect attempts to trigger the vulnerability. Additionally, organizations should audit scripts and automation tools that frequently modify or query WireGuard configurations to avoid rapid reconfiguration loops that could reproduce the issue. Employing kernel hardening features such as KASLR (Kernel Address Space Layout Randomization) and SELinux/AppArmor policies to restrict netlink interactions may provide additional defense layers. Finally, organizations should maintain an incident response plan for kernel-level vulnerabilities and ensure backups and failover mechanisms are in place to mitigate potential service disruptions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-26951: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wireguard: netlink: check for dangling peer via is_dead instead of empty list If all peers are removed via wg_peer_remove_all(), rather than setting peer_list to empty, the peer is added to a temporary list with a head on the stack of wg_peer_remove_all(). If a netlink dump is resumed and the cursored peer is one that has been removed via wg_peer_remove_all(), it will iterate from that peer and then attempt to dump freed peers. Fix this by instead checking peer->is_dead, which was explictly created for this purpose. Also move up the device_update_lock lockdep assertion, since reading is_dead relies on that. It can be reproduced by a small script like: echo "Setting config..." ip link add dev wg0 type wireguard wg setconf wg0 /big-config ( while true; do echo "Showing config..." wg showconf wg0 > /dev/null done ) & sleep 4 wg setconf wg0 <(printf "[Peer]\nPublicKey=$(wg genkey)\n") Resulting in: BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20 Read of size 8 at addr ffff88811956ec70 by task wg/59 CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5 Call Trace: <TASK> dump_stack_lvl+0x47/0x70 print_address_description.constprop.0+0x2c/0x380 print_report+0xab/0x250 kasan_report+0xba/0xf0 __lock_acquire+0x182a/0x1b20 lock_acquire+0x191/0x4b0 down_read+0x80/0x440 get_peer+0x140/0xcb0 wg_get_device_dump+0x471/0x1130
AI-Powered Analysis
Technical Analysis
CVE-2024-26951 is a use-after-free vulnerability in the WireGuard implementation within the Linux kernel. WireGuard is a modern VPN protocol integrated into the Linux kernel to provide secure network tunneling. The vulnerability arises from improper handling of peer removal in the netlink interface used for configuration and status queries. Specifically, when all peers are removed using the wg_peer_remove_all() function, instead of clearing the peer_list, the peers are moved to a temporary list on the stack. If a netlink dump operation is resumed and the cursor points to a peer that has been removed, the kernel attempts to iterate over and dump information from freed peer structures. This leads to a use-after-free condition, which can cause kernel memory corruption and potentially trigger a kernel panic or allow escalation of privileges. The root cause is that the code checks for an empty list to determine if peers are dangling, rather than using the is_dead flag explicitly designed to mark removed peers. The fix involves changing the check to use peer->is_dead and adjusting lock assertions to ensure thread safety when reading this flag. The vulnerability can be reproduced by rapidly setting and showing WireGuard configurations, causing concurrent access to freed peer objects. The kernel's KASAN (Kernel Address Sanitizer) detects this as a slab-use-after-free error during lock acquisition. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. This vulnerability affects Linux kernel versions containing the vulnerable WireGuard code prior to the patch.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux servers and infrastructure that use WireGuard for VPN connectivity. WireGuard is increasingly popular due to its performance and security benefits, and many enterprises, cloud providers, and telecom operators in Europe deploy it for secure remote access and site-to-site VPNs. Exploitation of this vulnerability could lead to kernel crashes causing denial of service or potentially privilege escalation if an attacker can manipulate the netlink interface or trigger the use-after-free condition. This could disrupt critical services, impact availability, and compromise the integrity of network security controls. Given the kernel-level nature of the bug, successful exploitation could allow attackers to bypass security mechanisms or execute arbitrary code with kernel privileges. The impact is heightened in environments with automated configuration management or monitoring tools that frequently query WireGuard status, increasing the likelihood of triggering the bug. Although no active exploits are known, the vulnerability’s presence in a widely used kernel component means European organizations should prioritize patching to maintain operational security and compliance with data protection regulations.
Mitigation Recommendations
European organizations should immediately update their Linux kernels to versions where this vulnerability is patched. Since the vulnerability is in the WireGuard kernel module, updating to the latest stable Linux kernel releases that include the fix is critical. If immediate kernel upgrades are not feasible, organizations should consider temporarily disabling WireGuard interfaces or limiting netlink access to trusted users and processes to reduce the attack surface. Monitoring system logs for KASAN or kernel warnings related to WireGuard can help detect attempts to trigger the vulnerability. Additionally, organizations should audit scripts and automation tools that frequently modify or query WireGuard configurations to avoid rapid reconfiguration loops that could reproduce the issue. Employing kernel hardening features such as KASLR (Kernel Address Space Layout Randomization) and SELinux/AppArmor policies to restrict netlink interactions may provide additional defense layers. Finally, organizations should maintain an incident response plan for kernel-level vulnerabilities and ensure backups and failover mechanisms are in place to mitigate potential service disruptions.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.198Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2f0a
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:27:41 PM
Last updated: 8/15/2025, 3:23:06 AM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.