CVE-2024-37356: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). In dctcp_update_alpha(), we use a module parameter dctcp_shift_g as follows: alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); ... delivered_ce <<= (10 - dctcp_shift_g); It seems syzkaller started fuzzing module parameters and triggered shift-out-of-bounds [0] by setting 100 to dctcp_shift_g: memcpy((void*)0x20000080, "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, /*flags=*/2ul, /*mode=*/0ul); memcpy((void*)0x20000000, "100\000", 4); syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); Let's limit the max value of dctcp_shift_g by param_set_uint_minmax(). With this patch: # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g 10 # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g -bash: echo: write error: Invalid argument [0]: UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x20f/0x350 net/core/sock.c:2983 release_sock+0x61/0x1f0 net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [inline] sock_close+0xc0/0x240 net/socket.c:1421 __fput+0x41b/0x890 fs/file_table.c:422 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9c8/0x2540 kernel/exit.c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f6c2b5005b6 Code: Unable to access opcode bytes at 0x7f6c2b50058c. RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK>
AI Analysis
Technical Summary
CVE-2024-37356 is a vulnerability identified in the Linux kernel's implementation of the DCTCP (Data Center TCP) congestion control algorithm, specifically within the function dctcp_update_alpha(). The issue arises from an unchecked module parameter, dctcp_shift_g, which controls bit-shift operations on 32-bit unsigned integers. The vulnerability was discovered through fuzz testing by syzkaller, which demonstrated that setting dctcp_shift_g to an excessively high value (e.g., 100) causes a shift-out-of-bounds error. This occurs because the code performs bit-shift operations without validating that the shift amount is within the valid range for a 32-bit integer, leading to undefined behavior and potential kernel instability or crashes. The patch introduced limits the maximum value of dctcp_shift_g to 10 using param_set_uint_minmax(), preventing out-of-bounds shifts. The vulnerability is rooted in improper input validation of kernel module parameters, which can be manipulated by users with write access to /sys/module/tcp_dctcp/parameters/dctcp_shift_g. Exploitation requires the ability to write to this sysfs parameter, typically restricted to privileged users or processes. The vulnerability does not appear to be exploited in the wild yet, and no CVSS score has been assigned. The underlying issue is a classic integer shift error that can cause kernel panics or denial of service due to unstable kernel state. The vulnerability affects Linux kernel versions containing the vulnerable dctcp_update_alpha() implementation prior to the patch limiting dctcp_shift_g values.
Potential Impact
For European organizations, the primary impact of CVE-2024-37356 is the risk of denial of service (DoS) on Linux systems running affected kernel versions with the DCTCP module enabled. Since DCTCP is often used in data center environments to optimize TCP congestion control, servers and network infrastructure relying on this feature could experience kernel crashes or instability if an attacker or misconfigured process sets dctcp_shift_g to an invalid value. This could disrupt critical services, especially in cloud hosting providers, telecom operators, and enterprises with Linux-based network appliances. Confidentiality and integrity impacts are minimal as the vulnerability does not directly allow code execution or privilege escalation but could be leveraged as part of a broader attack chain to cause service outages. The requirement for write access to kernel module parameters limits the attack surface to privileged insiders or compromised processes. However, in multi-tenant environments common in Europe’s cloud and hosting sectors, a malicious tenant with elevated privileges might exploit this to disrupt co-hosted services. The vulnerability also poses operational risks during kernel upgrades or parameter tuning if not properly controlled. Overall, the impact is primarily availability-related, affecting service continuity and potentially causing operational downtime.
Mitigation Recommendations
European organizations should apply the official Linux kernel patch that restricts the dctcp_shift_g parameter to a maximum value of 10, preventing out-of-bounds shifts. System administrators must audit and restrict write permissions to /sys/module/tcp_dctcp/parameters/dctcp_shift_g to trusted users only, ensuring unprivileged users cannot modify this parameter. Monitoring tools should be configured to alert on unusual writes or attempts to change kernel module parameters related to TCP congestion control. For environments using custom kernel builds or older distributions, backporting the patch or upgrading to a kernel version containing the fix is critical. Network operators should review their use of DCTCP and consider disabling or restricting this module if not required. Additionally, implementing strict access controls and privilege separation on Linux hosts will reduce the risk of exploitation. Regular kernel updates and vulnerability scanning should be part of the security hygiene to detect and remediate such issues promptly. Finally, testing kernel parameter changes in staging environments before production deployment can prevent accidental misconfigurations that might trigger this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-37356: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). In dctcp_update_alpha(), we use a module parameter dctcp_shift_g as follows: alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); ... delivered_ce <<= (10 - dctcp_shift_g); It seems syzkaller started fuzzing module parameters and triggered shift-out-of-bounds [0] by setting 100 to dctcp_shift_g: memcpy((void*)0x20000080, "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, /*flags=*/2ul, /*mode=*/0ul); memcpy((void*)0x20000000, "100\000", 4); syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); Let's limit the max value of dctcp_shift_g by param_set_uint_minmax(). With this patch: # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g 10 # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g -bash: echo: write error: Invalid argument [0]: UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x20f/0x350 net/core/sock.c:2983 release_sock+0x61/0x1f0 net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [inline] sock_close+0xc0/0x240 net/socket.c:1421 __fput+0x41b/0x890 fs/file_table.c:422 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9c8/0x2540 kernel/exit.c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f6c2b5005b6 Code: Unable to access opcode bytes at 0x7f6c2b50058c. RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-37356 is a vulnerability identified in the Linux kernel's implementation of the DCTCP (Data Center TCP) congestion control algorithm, specifically within the function dctcp_update_alpha(). The issue arises from an unchecked module parameter, dctcp_shift_g, which controls bit-shift operations on 32-bit unsigned integers. The vulnerability was discovered through fuzz testing by syzkaller, which demonstrated that setting dctcp_shift_g to an excessively high value (e.g., 100) causes a shift-out-of-bounds error. This occurs because the code performs bit-shift operations without validating that the shift amount is within the valid range for a 32-bit integer, leading to undefined behavior and potential kernel instability or crashes. The patch introduced limits the maximum value of dctcp_shift_g to 10 using param_set_uint_minmax(), preventing out-of-bounds shifts. The vulnerability is rooted in improper input validation of kernel module parameters, which can be manipulated by users with write access to /sys/module/tcp_dctcp/parameters/dctcp_shift_g. Exploitation requires the ability to write to this sysfs parameter, typically restricted to privileged users or processes. The vulnerability does not appear to be exploited in the wild yet, and no CVSS score has been assigned. The underlying issue is a classic integer shift error that can cause kernel panics or denial of service due to unstable kernel state. The vulnerability affects Linux kernel versions containing the vulnerable dctcp_update_alpha() implementation prior to the patch limiting dctcp_shift_g values.
Potential Impact
For European organizations, the primary impact of CVE-2024-37356 is the risk of denial of service (DoS) on Linux systems running affected kernel versions with the DCTCP module enabled. Since DCTCP is often used in data center environments to optimize TCP congestion control, servers and network infrastructure relying on this feature could experience kernel crashes or instability if an attacker or misconfigured process sets dctcp_shift_g to an invalid value. This could disrupt critical services, especially in cloud hosting providers, telecom operators, and enterprises with Linux-based network appliances. Confidentiality and integrity impacts are minimal as the vulnerability does not directly allow code execution or privilege escalation but could be leveraged as part of a broader attack chain to cause service outages. The requirement for write access to kernel module parameters limits the attack surface to privileged insiders or compromised processes. However, in multi-tenant environments common in Europe’s cloud and hosting sectors, a malicious tenant with elevated privileges might exploit this to disrupt co-hosted services. The vulnerability also poses operational risks during kernel upgrades or parameter tuning if not properly controlled. Overall, the impact is primarily availability-related, affecting service continuity and potentially causing operational downtime.
Mitigation Recommendations
European organizations should apply the official Linux kernel patch that restricts the dctcp_shift_g parameter to a maximum value of 10, preventing out-of-bounds shifts. System administrators must audit and restrict write permissions to /sys/module/tcp_dctcp/parameters/dctcp_shift_g to trusted users only, ensuring unprivileged users cannot modify this parameter. Monitoring tools should be configured to alert on unusual writes or attempts to change kernel module parameters related to TCP congestion control. For environments using custom kernel builds or older distributions, backporting the patch or upgrading to a kernel version containing the fix is critical. Network operators should review their use of DCTCP and consider disabling or restricting this module if not required. Additionally, implementing strict access controls and privilege separation on Linux hosts will reduce the risk of exploitation. Regular kernel updates and vulnerability scanning should be part of the security hygiene to detect and remediate such issues promptly. Finally, testing kernel parameter changes in staging environments before production deployment can prevent accidental misconfigurations that might trigger this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-21T10:13:16.306Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe28a5
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 10:57:00 AM
Last updated: 8/12/2025, 9:02:34 AM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.