CVE-2024-35893: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated---
AI Analysis
Technical Summary
CVE-2024-35893 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the traffic control (tc) module's skbmod action (act_skbmod). The vulnerability arises from an information leak caused by uninitialized memory being copied from kernel space to user space. The root cause is that the 'struct tc_skbmod' contains a four-byte padding hole that is not cleared before the structure's fields are filled. Consequently, when the function tcf_skbmod_dump() copies this structure to user space, it inadvertently leaks kernel stack memory contents. This was detected by syzbot and confirmed by Kernel Memory Sanitizer (KMSAN) warnings indicating kernel-infoleak during copy_to_user operations. The vulnerability involves multiple kernel functions related to network packet handling and netlink messaging, including skb_copy_datagram_iter, netlink_recvmsg, and rtnetlink_rcv_msg, which are part of the Linux kernel's networking stack. The flaw allows an unprivileged user with the ability to interact with the traffic control netlink interface to potentially read sensitive kernel memory. This could expose confidential information residing in kernel memory, such as cryptographic keys, kernel pointers, or other sensitive data. The vulnerability does not appear to require elevated privileges beyond those needed to interact with the traffic control subsystem, nor does it require user interaction beyond sending crafted netlink messages. No known exploits are reported in the wild as of the publication date. The issue has been addressed by clearing the structure before populating it to prevent leakage of uninitialized memory. However, no official patch links are provided in the data. The vulnerability affects Linux kernel versions identified by the commit hash 86da71b57383d40993cb90baafb3735cffe5d800, which likely corresponds to a recent kernel version prior to the fix. Given the Linux kernel's widespread use in servers, desktops, embedded systems, and cloud infrastructure, this vulnerability has broad potential impact.
Potential Impact
For European organizations, the impact of CVE-2024-35893 can be significant, especially for those relying heavily on Linux-based infrastructure. The vulnerability enables an information leak from kernel memory, which can undermine confidentiality by exposing sensitive data such as cryptographic keys, credentials, or internal kernel pointers. This exposure can facilitate further attacks, including privilege escalation or kernel exploitation, if attackers combine this leak with other vulnerabilities. Organizations operating critical infrastructure, cloud services, or data centers running Linux kernels with the vulnerable versions are at risk. The leak could compromise data privacy obligations under regulations like GDPR if sensitive personal or corporate data is exposed. Additionally, sectors such as finance, telecommunications, healthcare, and government agencies in Europe that depend on Linux servers and network appliances could face increased risk of targeted attacks leveraging this vulnerability. Although no active exploits are known, the ease of triggering the leak via netlink messages and the lack of need for high privileges or user interaction increase the threat potential. The vulnerability could also affect embedded Linux devices used in industrial control systems or IoT deployments within Europe, potentially impacting operational technology security. Overall, the confidentiality breach risk and the potential for follow-on attacks make this vulnerability a concern for European organizations with Linux deployments.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Apply the latest Linux kernel updates that include the fix for CVE-2024-35893 as soon as they become available from their Linux distribution vendors or kernel maintainers. 2) Restrict access to the traffic control netlink interface (used for configuring network traffic control) to trusted and authorized users only, using Linux capabilities and access control mechanisms such as SELinux, AppArmor, or seccomp filters. 3) Monitor and audit netlink socket usage and traffic control commands for unusual or unauthorized activity that could indicate exploitation attempts. 4) For environments where immediate patching is not feasible, consider disabling or limiting the use of the skbmod action or traffic control features that invoke the vulnerable code paths, if operationally acceptable. 5) Employ kernel hardening techniques and runtime protections such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the impact of potential information leaks. 6) Incorporate vulnerability scanning and continuous monitoring tools that can detect the presence of vulnerable kernel versions and alert on attempts to exploit netlink interfaces. 7) Educate system administrators and security teams about this vulnerability to ensure rapid response and patch management. These measures go beyond generic advice by focusing on controlling access to the vulnerable interface and monitoring specific kernel networking components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2024-35893: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-35893 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the traffic control (tc) module's skbmod action (act_skbmod). The vulnerability arises from an information leak caused by uninitialized memory being copied from kernel space to user space. The root cause is that the 'struct tc_skbmod' contains a four-byte padding hole that is not cleared before the structure's fields are filled. Consequently, when the function tcf_skbmod_dump() copies this structure to user space, it inadvertently leaks kernel stack memory contents. This was detected by syzbot and confirmed by Kernel Memory Sanitizer (KMSAN) warnings indicating kernel-infoleak during copy_to_user operations. The vulnerability involves multiple kernel functions related to network packet handling and netlink messaging, including skb_copy_datagram_iter, netlink_recvmsg, and rtnetlink_rcv_msg, which are part of the Linux kernel's networking stack. The flaw allows an unprivileged user with the ability to interact with the traffic control netlink interface to potentially read sensitive kernel memory. This could expose confidential information residing in kernel memory, such as cryptographic keys, kernel pointers, or other sensitive data. The vulnerability does not appear to require elevated privileges beyond those needed to interact with the traffic control subsystem, nor does it require user interaction beyond sending crafted netlink messages. No known exploits are reported in the wild as of the publication date. The issue has been addressed by clearing the structure before populating it to prevent leakage of uninitialized memory. However, no official patch links are provided in the data. The vulnerability affects Linux kernel versions identified by the commit hash 86da71b57383d40993cb90baafb3735cffe5d800, which likely corresponds to a recent kernel version prior to the fix. Given the Linux kernel's widespread use in servers, desktops, embedded systems, and cloud infrastructure, this vulnerability has broad potential impact.
Potential Impact
For European organizations, the impact of CVE-2024-35893 can be significant, especially for those relying heavily on Linux-based infrastructure. The vulnerability enables an information leak from kernel memory, which can undermine confidentiality by exposing sensitive data such as cryptographic keys, credentials, or internal kernel pointers. This exposure can facilitate further attacks, including privilege escalation or kernel exploitation, if attackers combine this leak with other vulnerabilities. Organizations operating critical infrastructure, cloud services, or data centers running Linux kernels with the vulnerable versions are at risk. The leak could compromise data privacy obligations under regulations like GDPR if sensitive personal or corporate data is exposed. Additionally, sectors such as finance, telecommunications, healthcare, and government agencies in Europe that depend on Linux servers and network appliances could face increased risk of targeted attacks leveraging this vulnerability. Although no active exploits are known, the ease of triggering the leak via netlink messages and the lack of need for high privileges or user interaction increase the threat potential. The vulnerability could also affect embedded Linux devices used in industrial control systems or IoT deployments within Europe, potentially impacting operational technology security. Overall, the confidentiality breach risk and the potential for follow-on attacks make this vulnerability a concern for European organizations with Linux deployments.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Apply the latest Linux kernel updates that include the fix for CVE-2024-35893 as soon as they become available from their Linux distribution vendors or kernel maintainers. 2) Restrict access to the traffic control netlink interface (used for configuring network traffic control) to trusted and authorized users only, using Linux capabilities and access control mechanisms such as SELinux, AppArmor, or seccomp filters. 3) Monitor and audit netlink socket usage and traffic control commands for unusual or unauthorized activity that could indicate exploitation attempts. 4) For environments where immediate patching is not feasible, consider disabling or limiting the use of the skbmod action or traffic control features that invoke the vulnerable code paths, if operationally acceptable. 5) Employ kernel hardening techniques and runtime protections such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the impact of potential information leaks. 6) Incorporate vulnerability scanning and continuous monitoring tools that can detect the presence of vulnerable kernel versions and alert on attempts to exploit netlink interfaces. 7) Educate system administrators and security teams about this vulnerability to ensure rapid response and patch management. These measures go beyond generic advice by focusing on controlling access to the vulnerable interface and monitoring specific kernel networking components.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.113Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe20dd
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:54:46 AM
Last updated: 8/15/2025, 6:53:21 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.