CVE-2024-35896: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238 CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7fd22067dde9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 </TASK> Allocated by task 7238: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4069 [inline] __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 kmalloc_noprof include/linux/slab.h:664 [inline] __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a The buggy address belongs to the object at ffff88802cd73da0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00 ---truncated---
AI Analysis
Technical Summary
CVE-2024-35896 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically related to the setsockopt() system call handling within the IPv4 netfilter ip_tables implementation. The issue arises from improper validation of user-supplied input lengths before copying data, leading to slab-out-of-bounds memory accesses. The vulnerability was uncovered through syzbot fuzzing reports, which revealed that after a particular commit (20f2505fb436) aimed at optimizing BPF (Berkeley Packet Filter) behavior in cgroup socket options, older bugs were re-exposed. The core problem is that the setsockopt() @optlen argument is not properly checked before copying data, resulting in out-of-bounds reads and writes in kernel memory. This is evidenced by multiple Kernel Address Sanitizer (KASAN) reports showing slab-out-of-bounds errors in functions like copy_from_sockptr_offset and do_replace within ip_tables.c. The bug allows reading beyond allocated kernel memory regions, potentially leading to kernel crashes (denial of service) or memory corruption. The vulnerability affects Linux kernel versions around 6.9.0-rc2-next-20240403 and likely other versions incorporating the problematic commit. The root cause is a lack of proper input validation in netfilter's setsockopt handling, which can be triggered by maliciously crafted socket options. Although no public exploits are known at this time, the vulnerability is significant due to its kernel-level impact and the critical role of netfilter in network packet filtering and firewalling. The vulnerability does not require user interaction beyond the ability to invoke setsockopt() with crafted parameters, which can be done by local users or potentially remote users depending on system configuration. No CVSS score has been assigned yet, but the technical details indicate a serious memory safety flaw in a core kernel networking component.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially for those relying heavily on Linux-based infrastructure for networking, firewalling, and routing. Netfilter is widely used in Linux distributions common in Europe, including Debian, Ubuntu, Red Hat, and SUSE. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical network services. More severe exploitation could allow attackers to corrupt kernel memory, potentially escalating privileges or bypassing security controls. This is particularly concerning for data centers, cloud providers, telecom operators, and enterprises running Linux firewalls or routers. Given the prevalence of Linux in European governmental, financial, and industrial sectors, the vulnerability could disrupt essential services or enable lateral movement by attackers if exploited in multi-tenant environments. The lack of known exploits currently reduces immediate risk, but the vulnerability's nature and kernel-level impact mean that rapid patching is essential to prevent future exploitation. Additionally, the vulnerability could be leveraged in targeted attacks against critical infrastructure or high-value targets within Europe, where Linux-based network appliances are common.
Mitigation Recommendations
1. Immediate application of Linux kernel patches that address CVE-2024-35896 once available from trusted Linux distribution vendors or upstream kernel sources. Monitor vendor advisories for updated kernel packages. 2. Until patches are applied, restrict access to systems running vulnerable Linux kernels, especially limiting untrusted users' ability to invoke setsockopt() calls or manipulate netfilter configurations. 3. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) and kernel lockdown modes in testing environments to detect and prevent exploitation attempts. 4. Use network segmentation and firewall rules to isolate critical Linux-based network infrastructure from untrusted networks and users. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts or abnormal setsockopt() usage patterns. 6. For cloud and virtualized environments, ensure hypervisor and container runtime security to reduce risk of privilege escalation from compromised guest kernels. 7. Conduct vulnerability scanning and penetration testing focused on kernel-level exploits to validate patch effectiveness and detect residual risks. 8. Educate system administrators on the importance of timely kernel updates and secure configuration of netfilter and socket options.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-35896: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238 CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7fd22067dde9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 </TASK> Allocated by task 7238: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4069 [inline] __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 kmalloc_noprof include/linux/slab.h:664 [inline] __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a The buggy address belongs to the object at ffff88802cd73da0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-35896 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically related to the setsockopt() system call handling within the IPv4 netfilter ip_tables implementation. The issue arises from improper validation of user-supplied input lengths before copying data, leading to slab-out-of-bounds memory accesses. The vulnerability was uncovered through syzbot fuzzing reports, which revealed that after a particular commit (20f2505fb436) aimed at optimizing BPF (Berkeley Packet Filter) behavior in cgroup socket options, older bugs were re-exposed. The core problem is that the setsockopt() @optlen argument is not properly checked before copying data, resulting in out-of-bounds reads and writes in kernel memory. This is evidenced by multiple Kernel Address Sanitizer (KASAN) reports showing slab-out-of-bounds errors in functions like copy_from_sockptr_offset and do_replace within ip_tables.c. The bug allows reading beyond allocated kernel memory regions, potentially leading to kernel crashes (denial of service) or memory corruption. The vulnerability affects Linux kernel versions around 6.9.0-rc2-next-20240403 and likely other versions incorporating the problematic commit. The root cause is a lack of proper input validation in netfilter's setsockopt handling, which can be triggered by maliciously crafted socket options. Although no public exploits are known at this time, the vulnerability is significant due to its kernel-level impact and the critical role of netfilter in network packet filtering and firewalling. The vulnerability does not require user interaction beyond the ability to invoke setsockopt() with crafted parameters, which can be done by local users or potentially remote users depending on system configuration. No CVSS score has been assigned yet, but the technical details indicate a serious memory safety flaw in a core kernel networking component.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially for those relying heavily on Linux-based infrastructure for networking, firewalling, and routing. Netfilter is widely used in Linux distributions common in Europe, including Debian, Ubuntu, Red Hat, and SUSE. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical network services. More severe exploitation could allow attackers to corrupt kernel memory, potentially escalating privileges or bypassing security controls. This is particularly concerning for data centers, cloud providers, telecom operators, and enterprises running Linux firewalls or routers. Given the prevalence of Linux in European governmental, financial, and industrial sectors, the vulnerability could disrupt essential services or enable lateral movement by attackers if exploited in multi-tenant environments. The lack of known exploits currently reduces immediate risk, but the vulnerability's nature and kernel-level impact mean that rapid patching is essential to prevent future exploitation. Additionally, the vulnerability could be leveraged in targeted attacks against critical infrastructure or high-value targets within Europe, where Linux-based network appliances are common.
Mitigation Recommendations
1. Immediate application of Linux kernel patches that address CVE-2024-35896 once available from trusted Linux distribution vendors or upstream kernel sources. Monitor vendor advisories for updated kernel packages. 2. Until patches are applied, restrict access to systems running vulnerable Linux kernels, especially limiting untrusted users' ability to invoke setsockopt() calls or manipulate netfilter configurations. 3. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) and kernel lockdown modes in testing environments to detect and prevent exploitation attempts. 4. Use network segmentation and firewall rules to isolate critical Linux-based network infrastructure from untrusted networks and users. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts or abnormal setsockopt() usage patterns. 6. For cloud and virtualized environments, ensure hypervisor and container runtime security to reduce risk of privilege escalation from compromised guest kernels. 7. Conduct vulnerability scanning and penetration testing focused on kernel-level exploits to validate patch effectiveness and detect residual risks. 8. Educate system administrators on the importance of timely kernel updates and secure configuration of netfilter and socket options.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.114Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe20e9
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:55:18 AM
Last updated: 8/2/2025, 5:06:26 AM
Views: 7
Related Threats
CVE-2025-49456: CWE-426 Untrusted Search Path in Zoom Communications Inc Zoom Clients for Windows
MediumCVE-2025-49457: CWE-426 Untrusted Search Path in Zoom Communications Inc Zoom Clients for Windows
CriticalCVE-2025-54238: Out-of-bounds Read (CWE-125) in Adobe Dimension
MediumCVE-2025-8395
LowCVE-2025-54233: Out-of-bounds Read (CWE-125) in Adobe Adobe Framemaker
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.