CVE-2024-35894: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: prevent BPF accessing lowat from a subflow socket. Alexei reported the following splat: WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0 Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)] CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23 Call Trace: <TASK> mptcp_set_rcvlowat+0x79/0x1d0 sk_setsockopt+0x6c0/0x1540 __bpf_setsockopt+0x6f/0x90 bpf_sock_ops_setsockopt+0x3c/0x90 bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132 bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86 __cgroup_bpf_run_filter_sock_ops+0xbc/0x250 tcp_connect+0x879/0x1160 tcp_v6_connect+0x50c/0x870 mptcp_connect+0x129/0x280 __inet_stream_connect+0xce/0x370 inet_stream_connect+0x36/0x50 bpf_trampoline_6442491565+0x49/0xef inet_stream_connect+0x5/0x50 __sys_connect+0x63/0x90 __x64_sys_connect+0x14/0x20 The root cause of the issue is that bpf allows accessing mptcp-level proto_ops from a tcp subflow scope. Fix the issue detecting the problematic call and preventing any action.
AI Analysis
Technical Summary
CVE-2024-35894 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to Berkeley Packet Filter (BPF) programs accessing socket options improperly. The root cause lies in BPF programs being able to access MPTCP-level proto_ops from the context of a TCP subflow socket, which is an unintended scope. This improper access can lead to a kernel warning or crash (splat), as demonstrated by the reported CPU warning and call trace involving functions such as subflow_data_ready, mptcp_set_rcvlowat, and bpf_sock_ops_setsockopt. The vulnerability arises because BPF programs, which are used for advanced packet filtering and socket operations, can manipulate socket options at a level that should be restricted, potentially leading to instability or denial of service. The fix implemented prevents BPF from accessing the lowat (receive low water mark) option from subflow sockets, effectively blocking the problematic call path and mitigating the risk of kernel crashes or exploitation. No known exploits are currently reported in the wild, and the vulnerability was published shortly after discovery, indicating a proactive patching effort by the Linux kernel maintainers.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and utilizing BPF programs for socket operations. Since MPTCP is used to improve network resilience and throughput by allowing multiple paths for TCP connections, environments relying on this feature—such as telecom infrastructure, cloud providers, and enterprises with advanced networking setups—could experience kernel crashes or denial of service if exploited. The impact includes potential service interruptions, reduced availability of critical network services, and increased operational costs due to system instability. Confidentiality and integrity impacts are less direct but could arise if attackers leverage kernel instability to escalate privileges or disrupt security monitoring tools that rely on BPF. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, unpatched systems could face operational risks, especially in sectors like finance, telecommunications, and critical infrastructure where uptime and network reliability are paramount.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-35894. Specifically, kernel versions incorporating the fix that restricts BPF access to MPTCP subflow socket options should be deployed. Organizations using custom or long-term support kernels should backport the patch if not already included. Additionally, administrators should audit the use of BPF programs, especially those that manipulate socket options, to ensure they do not inadvertently trigger this vulnerability. Restricting BPF program loading to trusted users and processes can reduce risk. Network teams should monitor kernel logs for warnings related to subflow_data_ready or BPF socket operations, which may indicate attempts to exploit this issue. For environments where MPTCP is not required, disabling it can be a temporary mitigation. Finally, integrating vulnerability management processes to track Linux kernel updates and applying them promptly will reduce exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-35894: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: prevent BPF accessing lowat from a subflow socket. Alexei reported the following splat: WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0 Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)] CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23 Call Trace: <TASK> mptcp_set_rcvlowat+0x79/0x1d0 sk_setsockopt+0x6c0/0x1540 __bpf_setsockopt+0x6f/0x90 bpf_sock_ops_setsockopt+0x3c/0x90 bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132 bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86 __cgroup_bpf_run_filter_sock_ops+0xbc/0x250 tcp_connect+0x879/0x1160 tcp_v6_connect+0x50c/0x870 mptcp_connect+0x129/0x280 __inet_stream_connect+0xce/0x370 inet_stream_connect+0x36/0x50 bpf_trampoline_6442491565+0x49/0xef inet_stream_connect+0x5/0x50 __sys_connect+0x63/0x90 __x64_sys_connect+0x14/0x20 The root cause of the issue is that bpf allows accessing mptcp-level proto_ops from a tcp subflow scope. Fix the issue detecting the problematic call and preventing any action.
AI-Powered Analysis
Technical Analysis
CVE-2024-35894 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to Berkeley Packet Filter (BPF) programs accessing socket options improperly. The root cause lies in BPF programs being able to access MPTCP-level proto_ops from the context of a TCP subflow socket, which is an unintended scope. This improper access can lead to a kernel warning or crash (splat), as demonstrated by the reported CPU warning and call trace involving functions such as subflow_data_ready, mptcp_set_rcvlowat, and bpf_sock_ops_setsockopt. The vulnerability arises because BPF programs, which are used for advanced packet filtering and socket operations, can manipulate socket options at a level that should be restricted, potentially leading to instability or denial of service. The fix implemented prevents BPF from accessing the lowat (receive low water mark) option from subflow sockets, effectively blocking the problematic call path and mitigating the risk of kernel crashes or exploitation. No known exploits are currently reported in the wild, and the vulnerability was published shortly after discovery, indicating a proactive patching effort by the Linux kernel maintainers.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and utilizing BPF programs for socket operations. Since MPTCP is used to improve network resilience and throughput by allowing multiple paths for TCP connections, environments relying on this feature—such as telecom infrastructure, cloud providers, and enterprises with advanced networking setups—could experience kernel crashes or denial of service if exploited. The impact includes potential service interruptions, reduced availability of critical network services, and increased operational costs due to system instability. Confidentiality and integrity impacts are less direct but could arise if attackers leverage kernel instability to escalate privileges or disrupt security monitoring tools that rely on BPF. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, unpatched systems could face operational risks, especially in sectors like finance, telecommunications, and critical infrastructure where uptime and network reliability are paramount.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-35894. Specifically, kernel versions incorporating the fix that restricts BPF access to MPTCP subflow socket options should be deployed. Organizations using custom or long-term support kernels should backport the patch if not already included. Additionally, administrators should audit the use of BPF programs, especially those that manipulate socket options, to ensure they do not inadvertently trigger this vulnerability. Restricting BPF program loading to trusted users and processes can reduce risk. Network teams should monitor kernel logs for warnings related to subflow_data_ready or BPF socket operations, which may indicate attempts to exploit this issue. For environments where MPTCP is not required, disabling it can be a temporary mitigation. Finally, integrating vulnerability management processes to track Linux kernel updates and applying them promptly will reduce exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.113Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe20e1
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:54:55 AM
Last updated: 8/10/2025, 4:50:53 AM
Views: 18
Related Threats
CVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumCVE-2025-31715: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
CriticalCVE-2025-31714: CWE-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
MediumCVE-2025-31713: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
HighCVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.