CVE-2024-27061: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce - Fix use after free in unprepare sun8i_ce_cipher_unprepare should be called before crypto_finalize_skcipher_request, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in crypto_finalize_request. Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_load8+0x9c/0xc0 sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620 [crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x38 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Freed by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x60 __kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290 kfree+0x74/0x100 kfree_sensitive+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)
AI Analysis
Technical Summary
CVE-2024-27061 is a use-after-free vulnerability identified in the Linux kernel's crypto subsystem, specifically within the sun8i-ce hardware crypto engine driver. The flaw arises due to an improper sequence of function calls where sun8i_ce_cipher_unprepare is invoked after crypto_finalize_skcipher_request, leading to a scenario where client callbacks may free memory that is subsequently accessed by the unprepare function. This results in a use-after-free condition, causing a kernel NULL pointer dereference and potential memory corruption. The vulnerability is detected by Kernel Address Sanitizer (KASAN), which reports slab-use-after-free errors during cryptographic self-tests. The issue manifests as a kernel oops and can cause system instability or crashes. The detailed kernel logs indicate that the problem occurs on ARM-based hardware such as the Pine64 PinePhone, but the underlying flaw exists in the Linux kernel's crypto engine handling of prepare/unprepare callbacks. This vulnerability is rooted in the crypto engine's lifecycle management of cryptographic requests, where the removal of prepare/unprepare callbacks shifted responsibility to crypto_finalize_request, but the sun8i-ce driver did not correctly adapt to this change, leading to unsafe memory access. No known exploits are reported in the wild at this time, and the vulnerability was publicly disclosed in May 2024 without an assigned CVSS score.
Potential Impact
For European organizations, the impact of CVE-2024-27061 primarily concerns systems running Linux kernels that include the vulnerable sun8i-ce crypto engine driver. This is particularly relevant for embedded devices, ARM-based systems, and specialized hardware using this crypto engine, such as certain IoT devices, mobile phones (e.g., Pine64 PinePhone), and industrial equipment. Exploitation could lead to kernel crashes, denial of service, and potentially privilege escalation if attackers can leverage the use-after-free to execute arbitrary code in kernel space. While the vulnerability currently appears to be triggered during cryptographic self-tests, a crafted attack could potentially exploit this flaw to disrupt critical services or compromise device integrity. European sectors relying on embedded Linux systems in telecommunications, manufacturing, or critical infrastructure could face operational disruptions. However, the scope is limited to devices with the affected crypto engine, reducing the broad impact on general-purpose Linux servers or desktops. The absence of known exploits and the technical complexity of triggering the flaw also mitigate immediate widespread risk.
Mitigation Recommendations
To mitigate CVE-2024-27061, European organizations should: 1) Identify and inventory all Linux-based devices, especially ARM-based embedded systems, that utilize the sun8i-ce crypto engine or similar hardware accelerators. 2) Apply the official Linux kernel patches that fix the use-after-free condition as soon as they become available from trusted Linux kernel sources or device vendors. 3) For devices where kernel updates are not immediately feasible, consider disabling the sun8i-ce crypto engine module if it is not critical to device operation, to prevent triggering the vulnerable code path. 4) Implement strict access controls and monitoring on devices running vulnerable kernels to detect abnormal kernel crashes or oops events that may indicate exploitation attempts. 5) Engage with hardware and device manufacturers to ensure timely firmware and kernel updates are provided and deployed. 6) Incorporate this vulnerability into vulnerability management and incident response plans, focusing on embedded and ARM-based Linux device fleets. 7) Conduct targeted testing and fuzzing of cryptographic operations on affected devices to detect potential exploitation attempts or stability issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland
CVE-2024-27061: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce - Fix use after free in unprepare sun8i_ce_cipher_unprepare should be called before crypto_finalize_skcipher_request, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in crypto_finalize_request. Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_load8+0x9c/0xc0 sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620 [crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x38 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Freed by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x60 __kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290 kfree+0x74/0x100 kfree_sensitive+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)
AI-Powered Analysis
Technical Analysis
CVE-2024-27061 is a use-after-free vulnerability identified in the Linux kernel's crypto subsystem, specifically within the sun8i-ce hardware crypto engine driver. The flaw arises due to an improper sequence of function calls where sun8i_ce_cipher_unprepare is invoked after crypto_finalize_skcipher_request, leading to a scenario where client callbacks may free memory that is subsequently accessed by the unprepare function. This results in a use-after-free condition, causing a kernel NULL pointer dereference and potential memory corruption. The vulnerability is detected by Kernel Address Sanitizer (KASAN), which reports slab-use-after-free errors during cryptographic self-tests. The issue manifests as a kernel oops and can cause system instability or crashes. The detailed kernel logs indicate that the problem occurs on ARM-based hardware such as the Pine64 PinePhone, but the underlying flaw exists in the Linux kernel's crypto engine handling of prepare/unprepare callbacks. This vulnerability is rooted in the crypto engine's lifecycle management of cryptographic requests, where the removal of prepare/unprepare callbacks shifted responsibility to crypto_finalize_request, but the sun8i-ce driver did not correctly adapt to this change, leading to unsafe memory access. No known exploits are reported in the wild at this time, and the vulnerability was publicly disclosed in May 2024 without an assigned CVSS score.
Potential Impact
For European organizations, the impact of CVE-2024-27061 primarily concerns systems running Linux kernels that include the vulnerable sun8i-ce crypto engine driver. This is particularly relevant for embedded devices, ARM-based systems, and specialized hardware using this crypto engine, such as certain IoT devices, mobile phones (e.g., Pine64 PinePhone), and industrial equipment. Exploitation could lead to kernel crashes, denial of service, and potentially privilege escalation if attackers can leverage the use-after-free to execute arbitrary code in kernel space. While the vulnerability currently appears to be triggered during cryptographic self-tests, a crafted attack could potentially exploit this flaw to disrupt critical services or compromise device integrity. European sectors relying on embedded Linux systems in telecommunications, manufacturing, or critical infrastructure could face operational disruptions. However, the scope is limited to devices with the affected crypto engine, reducing the broad impact on general-purpose Linux servers or desktops. The absence of known exploits and the technical complexity of triggering the flaw also mitigate immediate widespread risk.
Mitigation Recommendations
To mitigate CVE-2024-27061, European organizations should: 1) Identify and inventory all Linux-based devices, especially ARM-based embedded systems, that utilize the sun8i-ce crypto engine or similar hardware accelerators. 2) Apply the official Linux kernel patches that fix the use-after-free condition as soon as they become available from trusted Linux kernel sources or device vendors. 3) For devices where kernel updates are not immediately feasible, consider disabling the sun8i-ce crypto engine module if it is not critical to device operation, to prevent triggering the vulnerable code path. 4) Implement strict access controls and monitoring on devices running vulnerable kernels to detect abnormal kernel crashes or oops events that may indicate exploitation attempts. 5) Engage with hardware and device manufacturers to ensure timely firmware and kernel updates are provided and deployed. 6) Incorporate this vulnerability into vulnerability management and incident response plans, focusing on embedded and ARM-based Linux device fleets. 7) Conduct targeted testing and fuzzing of cryptographic operations on affected devices to detect potential exploitation attempts or stability issues.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.215Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3255
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 2:57:14 PM
Last updated: 8/4/2025, 12:41:21 PM
Views: 14
Related Threats
CVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumCVE-2025-8685: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emilien Wp chart generator
MediumCVE-2025-8621: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in odn Mosaic Generator
MediumCVE-2025-8568: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prabode GMap Generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.