CVE-2024-27013: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when illegal packet received by tun dev vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e #3 [fffffe00003fced0] do_nmi at ffffffff8922660d #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 #12 [ffffa65531497b68] printk at ffffffff89318306 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f
AI Analysis
Technical Summary
CVE-2024-27013 is a vulnerability in the Linux kernel's TUN (network tunnel) device driver, specifically related to the handling of illegal packets received by the TUN device. The vulnerability arises because the vhost_worker thread, which handles virtualized network I/O, calls TUN callbacks to receive packets. When an excessive number of illegal packets are received, the function tun_do_read repeatedly dumps packet contents to the console. If the console is enabled, this excessive logging consumes significant CPU resources, potentially leading to a soft lockup—a state where the CPU is stuck in a loop and unable to perform other tasks. The root cause is the lack of rate limiting on the printing of illegal packet data. The fix involves applying the net_ratelimit mechanism to limit the rate at which packet contents are dumped, preventing CPU exhaustion. The stack trace provided shows the crash occurring in the io_serial_in function, triggered by excessive printk calls from tun_do_read. This vulnerability can be triggered remotely if an attacker can send crafted illegal packets to a vulnerable TUN device, especially in virtualized environments using vhost-net. No CVSS score is assigned yet, and no known exploits are reported in the wild. The affected versions correspond to specific Linux kernel commits identified by their hashes, indicating this is a recent kernel-level fix.
Potential Impact
For European organizations, the impact of CVE-2024-27013 can be significant, particularly for those relying on Linux-based virtualized infrastructure or VPN solutions that use TUN devices. The vulnerability can cause denial of service (DoS) conditions by exhausting CPU resources through excessive logging, leading to system instability or crashes. This can disrupt critical services, including cloud workloads, containerized applications, and network security appliances. Organizations with high-density virtualized environments or those using vhost-net for network acceleration are at higher risk. The vulnerability does not appear to allow privilege escalation or direct data compromise but can degrade availability and operational continuity. Given the widespread use of Linux in European data centers, telecom infrastructure, and enterprise environments, unpatched systems could face service interruptions. Additionally, the vulnerability could be exploited as part of a multi-stage attack to cause disruption or as a diversion while other attacks are conducted.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-27013. Specifically, they should update to kernel versions that implement net_ratelimit in tun_do_read to prevent excessive logging. For environments where immediate patching is not feasible, administrators can consider disabling console logging for TUN devices or limiting console output to reduce CPU load. Network administrators should monitor for unusual volumes of illegal packets targeting TUN devices and implement network-level filtering to block malformed or suspicious traffic. Virtualized environments using vhost-net should be closely monitored, and hypervisor security best practices applied. Additionally, organizations should audit their use of TUN devices and vhost-net to ensure minimal exposure and apply strict access controls. Logging and monitoring solutions should be tuned to detect signs of CPU exhaustion or soft lockups related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-27013: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when illegal packet received by tun dev vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e #3 [fffffe00003fced0] do_nmi at ffffffff8922660d #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 #12 [ffffa65531497b68] printk at ffffffff89318306 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f
AI-Powered Analysis
Technical Analysis
CVE-2024-27013 is a vulnerability in the Linux kernel's TUN (network tunnel) device driver, specifically related to the handling of illegal packets received by the TUN device. The vulnerability arises because the vhost_worker thread, which handles virtualized network I/O, calls TUN callbacks to receive packets. When an excessive number of illegal packets are received, the function tun_do_read repeatedly dumps packet contents to the console. If the console is enabled, this excessive logging consumes significant CPU resources, potentially leading to a soft lockup—a state where the CPU is stuck in a loop and unable to perform other tasks. The root cause is the lack of rate limiting on the printing of illegal packet data. The fix involves applying the net_ratelimit mechanism to limit the rate at which packet contents are dumped, preventing CPU exhaustion. The stack trace provided shows the crash occurring in the io_serial_in function, triggered by excessive printk calls from tun_do_read. This vulnerability can be triggered remotely if an attacker can send crafted illegal packets to a vulnerable TUN device, especially in virtualized environments using vhost-net. No CVSS score is assigned yet, and no known exploits are reported in the wild. The affected versions correspond to specific Linux kernel commits identified by their hashes, indicating this is a recent kernel-level fix.
Potential Impact
For European organizations, the impact of CVE-2024-27013 can be significant, particularly for those relying on Linux-based virtualized infrastructure or VPN solutions that use TUN devices. The vulnerability can cause denial of service (DoS) conditions by exhausting CPU resources through excessive logging, leading to system instability or crashes. This can disrupt critical services, including cloud workloads, containerized applications, and network security appliances. Organizations with high-density virtualized environments or those using vhost-net for network acceleration are at higher risk. The vulnerability does not appear to allow privilege escalation or direct data compromise but can degrade availability and operational continuity. Given the widespread use of Linux in European data centers, telecom infrastructure, and enterprise environments, unpatched systems could face service interruptions. Additionally, the vulnerability could be exploited as part of a multi-stage attack to cause disruption or as a diversion while other attacks are conducted.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-27013. Specifically, they should update to kernel versions that implement net_ratelimit in tun_do_read to prevent excessive logging. For environments where immediate patching is not feasible, administrators can consider disabling console logging for TUN devices or limiting console output to reduce CPU load. Network administrators should monitor for unusual volumes of illegal packets targeting TUN devices and implement network-level filtering to block malformed or suspicious traffic. Virtualized environments using vhost-net should be closely monitored, and hypervisor security best practices applied. Additionally, organizations should audit their use of TUN devices and vhost-net to ensure minimal exposure and apply strict access controls. Logging and monitoring solutions should be tuned to detect signs of CPU exhaustion or soft lockups related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.209Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe30d1
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 2:25:19 PM
Last updated: 8/13/2025, 4:06:24 AM
Views: 12
Related Threats
CVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumCVE-2025-51965: n/a
UnknownCVE-2025-8976: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-8980: Insufficient Verification of Data Authenticity in Tenda G1
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.