CVE-2024-35910: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing after the corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often, and could test a patch I wrote two years ago. When TCP sockets are closed, we call inet_csk_clear_xmit_timers() to 'stop' the timers. inet_csk_clear_xmit_timers() can be called from any context, including when socket lock is held. This is the reason it uses sk_stop_timer(), aka del_timer(). This means that ongoing timers might finish much later. For user sockets, this is fine because each running timer holds a reference on the socket, and the user socket holds a reference on the netns. For kernel sockets, we risk that the netns is freed before timer can complete, because kernel sockets do not hold reference on the netns. This patch adds inet_csk_clear_xmit_timers_sync() function that using sk_stop_timer_sync() to make sure all timers are terminated before the kernel socket is released. Modules using kernel sockets close them in their netns exit() handler. Also add sock_not_owned_by_me() helper to get LOCKDEP support : inet_csk_clear_xmit_timers_sync() must not be called while socket lock is held. It is very possible we can revert in the future commit 3a58f13a881e ("net: rds: acquire refcount on TCP sockets") which attempted to solve the issue in rds only. (net/smc/af_smc.c and net/mptcp/subflow.c have similar code) We probably can remove the check_net() tests from tcp_out_of_resources() and __tcp_close() in the future.
AI Analysis
Technical Summary
CVE-2024-35910 is a vulnerability identified in the Linux kernel's TCP networking stack, specifically related to the handling of timers for kernel sockets. The issue arises because TCP timers, which are used to manage retransmissions and other TCP state transitions, may continue to fire even after the associated network namespace (netns) has been dismantled. This occurs because the function inet_csk_clear_xmit_timers(), responsible for stopping these timers when TCP sockets close, uses a non-blocking timer deletion method (sk_stop_timer() / del_timer()) that allows timers to complete asynchronously. For user sockets, this is not problematic since they hold references to the netns, preventing premature freeing. However, kernel sockets do not hold such references, risking use-after-free conditions where timers execute after the netns is freed, potentially leading to memory corruption or kernel crashes. The patch introduces a new function, inet_csk_clear_xmit_timers_sync(), which synchronously stops timers using sk_stop_timer_sync(), ensuring all timers are terminated before releasing the kernel socket. Additional helper functions were added to support lock dependency checking and to prevent improper locking during timer clearance. This fix addresses a long-standing issue reported by syzbot and tested by kernel developers. The vulnerability has a CVSS v3.1 score of 5.8 (medium severity) with attack vector local, high attack complexity, low privileges required, no user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No known exploits are currently in the wild. This vulnerability affects Linux kernel versions identified by the commit hash 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and likely related kernel versions around that development state. The root cause is a race condition in TCP timer management for kernel sockets during network namespace teardown, which could lead to kernel instability or denial of service.
Potential Impact
For European organizations, the impact of CVE-2024-35910 primarily concerns systems running Linux kernels with affected versions, especially those utilizing network namespaces and kernel sockets extensively. This includes cloud infrastructure providers, telecom operators, and enterprises deploying containerized or virtualized environments where network namespaces are common. The vulnerability could lead to kernel crashes or denial of service conditions, potentially disrupting critical services and applications. Although the attack vector is local and requires some privileges, exploitation could be feasible by malicious insiders or compromised processes with limited rights. The medium severity indicates moderate risk, but the potential for availability impact is significant in high-availability environments. Confidentiality and integrity impacts are limited but present due to possible memory corruption. European organizations relying on Linux-based network infrastructure, edge computing, or specialized kernel modules that use kernel sockets are at risk of service interruptions and operational impacts if unpatched. Given the widespread use of Linux in European data centers and telecom networks, timely patching is essential to maintain service reliability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patches that include the fix for CVE-2024-35910 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. For organizations using custom or long-term support kernels, backport the patch that introduces inet_csk_clear_xmit_timers_sync() and related fixes to ensure proper timer termination. 3. Audit and review kernel modules or third-party drivers that create kernel sockets and ensure they close sockets properly during network namespace teardown using the new synchronous timer stop method. 4. Implement strict access controls and monitoring on systems where local privilege escalation could enable exploitation, limiting the ability of untrusted users or processes to create or manipulate kernel sockets. 5. Employ kernel lockdown features and security modules (e.g., SELinux, AppArmor) to restrict kernel module loading and socket operations to trusted code paths. 6. Monitor system logs and kernel crash reports for anomalies related to TCP timers or network namespace operations that might indicate attempts to exploit this vulnerability. 7. In containerized environments, ensure orchestration platforms and container runtimes are updated to handle network namespace lifecycle correctly and do not leave dangling kernel sockets. 8. Coordinate with Linux distribution vendors and infrastructure providers to confirm patch deployment and validate kernel versions in use across critical systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35910: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing after the corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often, and could test a patch I wrote two years ago. When TCP sockets are closed, we call inet_csk_clear_xmit_timers() to 'stop' the timers. inet_csk_clear_xmit_timers() can be called from any context, including when socket lock is held. This is the reason it uses sk_stop_timer(), aka del_timer(). This means that ongoing timers might finish much later. For user sockets, this is fine because each running timer holds a reference on the socket, and the user socket holds a reference on the netns. For kernel sockets, we risk that the netns is freed before timer can complete, because kernel sockets do not hold reference on the netns. This patch adds inet_csk_clear_xmit_timers_sync() function that using sk_stop_timer_sync() to make sure all timers are terminated before the kernel socket is released. Modules using kernel sockets close them in their netns exit() handler. Also add sock_not_owned_by_me() helper to get LOCKDEP support : inet_csk_clear_xmit_timers_sync() must not be called while socket lock is held. It is very possible we can revert in the future commit 3a58f13a881e ("net: rds: acquire refcount on TCP sockets") which attempted to solve the issue in rds only. (net/smc/af_smc.c and net/mptcp/subflow.c have similar code) We probably can remove the check_net() tests from tcp_out_of_resources() and __tcp_close() in the future.
AI-Powered Analysis
Technical Analysis
CVE-2024-35910 is a vulnerability identified in the Linux kernel's TCP networking stack, specifically related to the handling of timers for kernel sockets. The issue arises because TCP timers, which are used to manage retransmissions and other TCP state transitions, may continue to fire even after the associated network namespace (netns) has been dismantled. This occurs because the function inet_csk_clear_xmit_timers(), responsible for stopping these timers when TCP sockets close, uses a non-blocking timer deletion method (sk_stop_timer() / del_timer()) that allows timers to complete asynchronously. For user sockets, this is not problematic since they hold references to the netns, preventing premature freeing. However, kernel sockets do not hold such references, risking use-after-free conditions where timers execute after the netns is freed, potentially leading to memory corruption or kernel crashes. The patch introduces a new function, inet_csk_clear_xmit_timers_sync(), which synchronously stops timers using sk_stop_timer_sync(), ensuring all timers are terminated before releasing the kernel socket. Additional helper functions were added to support lock dependency checking and to prevent improper locking during timer clearance. This fix addresses a long-standing issue reported by syzbot and tested by kernel developers. The vulnerability has a CVSS v3.1 score of 5.8 (medium severity) with attack vector local, high attack complexity, low privileges required, no user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No known exploits are currently in the wild. This vulnerability affects Linux kernel versions identified by the commit hash 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe and likely related kernel versions around that development state. The root cause is a race condition in TCP timer management for kernel sockets during network namespace teardown, which could lead to kernel instability or denial of service.
Potential Impact
For European organizations, the impact of CVE-2024-35910 primarily concerns systems running Linux kernels with affected versions, especially those utilizing network namespaces and kernel sockets extensively. This includes cloud infrastructure providers, telecom operators, and enterprises deploying containerized or virtualized environments where network namespaces are common. The vulnerability could lead to kernel crashes or denial of service conditions, potentially disrupting critical services and applications. Although the attack vector is local and requires some privileges, exploitation could be feasible by malicious insiders or compromised processes with limited rights. The medium severity indicates moderate risk, but the potential for availability impact is significant in high-availability environments. Confidentiality and integrity impacts are limited but present due to possible memory corruption. European organizations relying on Linux-based network infrastructure, edge computing, or specialized kernel modules that use kernel sockets are at risk of service interruptions and operational impacts if unpatched. Given the widespread use of Linux in European data centers and telecom networks, timely patching is essential to maintain service reliability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patches that include the fix for CVE-2024-35910 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. For organizations using custom or long-term support kernels, backport the patch that introduces inet_csk_clear_xmit_timers_sync() and related fixes to ensure proper timer termination. 3. Audit and review kernel modules or third-party drivers that create kernel sockets and ensure they close sockets properly during network namespace teardown using the new synchronous timer stop method. 4. Implement strict access controls and monitoring on systems where local privilege escalation could enable exploitation, limiting the ability of untrusted users or processes to create or manipulate kernel sockets. 5. Employ kernel lockdown features and security modules (e.g., SELinux, AppArmor) to restrict kernel module loading and socket operations to trusted code paths. 6. Monitor system logs and kernel crash reports for anomalies related to TCP timers or network namespace operations that might indicate attempts to exploit this vulnerability. 7. In containerized environments, ensure orchestration platforms and container runtimes are updated to handle network namespace lifecycle correctly and do not leave dangling kernel sockets. 8. Coordinate with Linux distribution vendors and infrastructure providers to confirm patch deployment and validate kernel versions in use across critical systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.121Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2157
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 8:09:53 AM
Last updated: 8/15/2025, 11:22:12 PM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.