CVE-2024-35860 addresses a vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) links, specifically related to the timing of deallocation of bpf_link objects. BPF programs can use bpf_link as a context to access additional information at runtime, such as cookie values in multi-kprobe and multi-uprobe scenarios. The vulnerability arises because the bpf_link reference count can drop to zero and trigger deallocation while active BPF programs are still running and accessing the link data. This creates a use-after-free condition, potentially leading to memory corruption or kernel crashes. The patch introduces a mechanism to defer the deallocation of bpf_link objects until after the RCU (Read-Copy-Update) grace period, ensuring that no active BPF programs are accessing the link data when it is freed. The patch supports two types of deallocation callbacks: synchronous and deferred. Deferred deallocation schedules the free operation after the appropriate RCU grace period, which varies depending on whether the BPF program is sleepable or non-sleepable. This distinction is important because sleepable BPF programs require a more complex RCU tasks trace grace period before deallocation. The fix is applied to multi-kprobe and multi-uprobe links and preemptively to raw_tp links, anticipating future kernel changes that expose raw_tp link data to BPF programs at runtime. Overall, this vulnerability is a subtle kernel memory management issue that could lead to instability or potential exploitation if an attacker can trigger use-after-free conditions in BPF programs that rely on these links.

For European organizations, the impact of CVE-2024-35860 could be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and embedded systems. BPF is widely used for networking, security monitoring, and performance tracing, so a vulnerability in its link management can affect critical system components. Exploitation could lead to kernel crashes or memory corruption, potentially causing denial of service or enabling privilege escalation if combined with other vulnerabilities. Organizations running multi-kprobe, multi-uprobe, or raw_tp BPF programs are particularly at risk. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, this vulnerability could disrupt services or be leveraged in targeted attacks. However, there are no known exploits in the wild yet, which reduces immediate risk but does not eliminate the need for prompt mitigation. The complexity of the vulnerability means that exploitation requires detailed knowledge of kernel internals and BPF program behavior, somewhat limiting the attack surface to sophisticated threat actors.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-35860 as soon as they become available from their Linux distribution vendors. Specifically, kernel versions incorporating the deferred bpf_link deallocation mechanism should be deployed. For environments where immediate patching is not feasible, organizations should audit their use of BPF programs, particularly those using multi-kprobe, multi-uprobe, and raw_tp links, and consider disabling or limiting these features temporarily. Monitoring kernel logs for unusual BPF-related errors or crashes can help detect exploitation attempts. Additionally, organizations should implement strict access controls to limit who can load or manage BPF programs, as exploitation requires the ability to manipulate BPF links. Employing kernel hardening techniques such as Kernel Page Table Isolation (KPTI) and Control Flow Integrity (CFI) can also reduce the risk of exploitation. Finally, maintaining robust incident response plans and continuous monitoring for kernel anomalies will help mitigate potential impacts.