CVE-2024-35905 is a vulnerability identified in the Linux kernel's Berkeley Packet Filter (BPF) subsystem, specifically related to stack memory access size verification. The vulnerability arises from an integer overflow issue affecting the signed integer representation of the stack access size used during BPF program verification. In certain code paths, the size of the access to stack memory could appear as a negative value due to overflow, which was not properly checked. This flaw leads to out-of-bounds array accesses within the function check_stack_range_initialized(), potentially allowing a maliciously crafted BPF program to bypass verification checks and access or manipulate memory outside the intended stack boundaries. The vulnerability was introduced inadvertently when a prior patch (commit a833a17aeac7) removed an indirect protection mechanism against such invalid access sizes. The recent patch reintroduces explicit checks to ensure that any BPF program attempting to use a nonsensical or negative stack access size will fail verification, thereby preventing exploitation. Although other protections exist in the kernel to prevent such issues, this fix closes a gap that could have been exploited to cause memory corruption or kernel instability. No known exploits are currently reported in the wild for this vulnerability. The affected versions include several recent Linux kernel commits prior to the patch. The vulnerability is technical and subtle, involving low-level kernel memory safety in the BPF verifier, a critical component for safely running user-supplied BPF programs in the kernel context.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with BPF enabled, which is common in modern Linux distributions used in servers, cloud infrastructure, and network appliances. Successful exploitation could allow an attacker to cause kernel memory corruption, potentially leading to privilege escalation, denial of service (system crashes), or unauthorized access to kernel memory. This is particularly concerning for organizations relying on Linux-based infrastructure for critical services, including cloud providers, telecom operators, and enterprises with Linux servers. The BPF subsystem is widely used for network monitoring, security tools, and performance tracing, so the vulnerability could be leveraged to bypass security controls or disrupt monitoring capabilities. Although exploitation requires crafting a malicious BPF program, which implies some level of attacker sophistication and local or containerized code execution, the impact on confidentiality, integrity, and availability of affected systems could be significant if exploited. Given the widespread use of Linux in European data centers and critical infrastructure, unpatched systems could be targeted by attackers aiming to gain kernel-level control or disrupt services.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-35905 as soon as possible. Kernel updates should be tested and deployed promptly, especially on systems exposed to untrusted users or running containerized workloads where BPF programs might be loaded. Additionally, organizations should audit their use of BPF programs and restrict the ability to load or run untrusted BPF code, for example by limiting CAP_BPF and CAP_SYS_ADMIN capabilities to trusted users and processes only. Employing kernel security modules such as SELinux or AppArmor to enforce strict policies on BPF usage can further reduce risk. Monitoring kernel logs for suspicious BPF verifier failures or unusual BPF program loading attempts can provide early warning of exploitation attempts. For cloud and hosting providers, isolating tenant workloads and enforcing strict container runtime security policies will help mitigate risk. Finally, organizations should maintain a robust patch management process and subscribe to Linux kernel security advisories to stay informed about future related vulnerabilities.