CVE-2024-36937: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xdp: use flags field to disambiguate broadcast redirect When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination. When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue(). To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path.
AI Analysis
Technical Summary
CVE-2024-36937 is a vulnerability discovered and resolved in the Linux kernel's eXpress Data Path (XDP) subsystem, which is used for high-performance packet processing. The issue arises in the handling of packet redirection when using the bpf_redirect_map() helper function, specifically when the BPF_F_BROADCAST flag is set to perform multicast redirects to all entries in a map. The vulnerability is due to improper synchronization and state management of the 'map' pointer within the bpf_redirect_info structure. When a map is being destroyed concurrently with an ongoing XDP program execution, the map pointer can be cleared prematurely by bpf_clear_redirect_map() without waiting for the XDP program to finish. This leads to a state where xdp_do_redirect() misinterprets the redirect type because it relies on the presence of the map pointer to distinguish between broadcast and single-target redirects. If the map pointer is NULL and the broadcast flag is not checked properly, xdp_do_redirect() attempts to enqueue a packet to a NULL device pointer via dev_map_enqueue(), causing a kernel crash (NULL pointer dereference). The fix involves modifying xdp_do_redirect() to use the BPF_F_BROADCAST flag in the flags field to correctly disambiguate broadcast redirects from single-target redirects, and only accessing the map pointer if the broadcast flag is set and the map pointer is valid. This approach preserves atomic clearing of the map pointer and avoids additional overhead on the single-target redirect fast path. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to the patch and does not require user interaction but does require the presence of XDP programs using multicast redirects. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with XDP programs that utilize multicast redirects via bpf_redirect_map(). The impact is a potential denial of service (DoS) due to kernel crashes triggered by NULL pointer dereferences. This could disrupt network services, especially in environments relying on high-performance packet processing such as ISPs, cloud providers, telecom operators, and data centers. The crash could lead to system instability or forced reboots, impacting availability of critical infrastructure. Confidentiality and integrity are less directly affected since the vulnerability does not enable arbitrary code execution or privilege escalation. However, the resulting downtime could indirectly affect business operations and service level agreements. Given the Linux kernel's widespread use in European enterprise servers, network appliances, and embedded systems, the vulnerability could have broad reach. The absence of known exploits reduces immediate risk, but the complexity of the issue and kernel-level impact warrant prompt attention. Organizations using custom or third-party XDP programs should be particularly vigilant.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-36937 as soon as they become available from trusted sources or Linux distributions. 2. Audit and review any XDP programs deployed in your environment, especially those using multicast redirects with bpf_redirect_map(), to understand exposure. 3. Temporarily disable or avoid using multicast redirects in XDP programs if patching is not immediately feasible. 4. Implement kernel crash monitoring and alerting to detect potential exploitation attempts or instability related to this vulnerability. 5. Coordinate with Linux distribution vendors to ensure timely updates and backports for affected kernel versions. 6. For critical infrastructure, consider deploying redundant systems or failover mechanisms to mitigate availability impact from potential crashes. 7. Engage with network and security teams to validate that network devices and appliances running Linux kernels are updated and configured securely. 8. Maintain strict control over who can load or modify XDP programs to reduce risk of accidental or malicious triggering of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-36937: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xdp: use flags field to disambiguate broadcast redirect When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination. When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue(). To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path.
AI-Powered Analysis
Technical Analysis
CVE-2024-36937 is a vulnerability discovered and resolved in the Linux kernel's eXpress Data Path (XDP) subsystem, which is used for high-performance packet processing. The issue arises in the handling of packet redirection when using the bpf_redirect_map() helper function, specifically when the BPF_F_BROADCAST flag is set to perform multicast redirects to all entries in a map. The vulnerability is due to improper synchronization and state management of the 'map' pointer within the bpf_redirect_info structure. When a map is being destroyed concurrently with an ongoing XDP program execution, the map pointer can be cleared prematurely by bpf_clear_redirect_map() without waiting for the XDP program to finish. This leads to a state where xdp_do_redirect() misinterprets the redirect type because it relies on the presence of the map pointer to distinguish between broadcast and single-target redirects. If the map pointer is NULL and the broadcast flag is not checked properly, xdp_do_redirect() attempts to enqueue a packet to a NULL device pointer via dev_map_enqueue(), causing a kernel crash (NULL pointer dereference). The fix involves modifying xdp_do_redirect() to use the BPF_F_BROADCAST flag in the flags field to correctly disambiguate broadcast redirects from single-target redirects, and only accessing the map pointer if the broadcast flag is set and the map pointer is valid. This approach preserves atomic clearing of the map pointer and avoids additional overhead on the single-target redirect fast path. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to the patch and does not require user interaction but does require the presence of XDP programs using multicast redirects. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with XDP programs that utilize multicast redirects via bpf_redirect_map(). The impact is a potential denial of service (DoS) due to kernel crashes triggered by NULL pointer dereferences. This could disrupt network services, especially in environments relying on high-performance packet processing such as ISPs, cloud providers, telecom operators, and data centers. The crash could lead to system instability or forced reboots, impacting availability of critical infrastructure. Confidentiality and integrity are less directly affected since the vulnerability does not enable arbitrary code execution or privilege escalation. However, the resulting downtime could indirectly affect business operations and service level agreements. Given the Linux kernel's widespread use in European enterprise servers, network appliances, and embedded systems, the vulnerability could have broad reach. The absence of known exploits reduces immediate risk, but the complexity of the issue and kernel-level impact warrant prompt attention. Organizations using custom or third-party XDP programs should be particularly vigilant.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-36937 as soon as they become available from trusted sources or Linux distributions. 2. Audit and review any XDP programs deployed in your environment, especially those using multicast redirects with bpf_redirect_map(), to understand exposure. 3. Temporarily disable or avoid using multicast redirects in XDP programs if patching is not immediately feasible. 4. Implement kernel crash monitoring and alerting to detect potential exploitation attempts or instability related to this vulnerability. 5. Coordinate with Linux distribution vendors to ensure timely updates and backports for affected kernel versions. 6. For critical infrastructure, consider deploying redundant systems or failover mechanisms to mitigate availability impact from potential crashes. 7. Engage with network and security teams to validate that network devices and appliances running Linux kernels are updated and configured securely. 8. Maintain strict control over who can load or modify XDP programs to reduce risk of accidental or malicious triggering of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.071Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe271d
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 10:25:29 AM
Last updated: 7/26/2025, 7:20:53 AM
Views: 10
Related Threats
CVE-2025-8285: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54525: CWE-1287: Improper Validation of Specified Type of Input in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54478: CWE-306: Missing Authentication for Critical Function in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54463: CWE-754: Improper Check for Unusual or Exceptional Conditions in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54458: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.