CVE-2024-39487: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it.
AI Analysis
Technical Summary
CVE-2024-39487 is a vulnerability identified in the Linux kernel's bonding driver, specifically within the function bond_option_arp_ip_targets_set(). This function is responsible for handling ARP IP target options in network bonding configurations. The vulnerability arises due to an out-of-bounds read when the input string (newval->string) is empty. In such cases, the code attempts to read the byte immediately following the string (newval->string+1), which is outside the allocated memory boundary. This leads to a kernel memory read beyond the intended buffer, triggering a Kernel Address Sanitizer (KASAN) slab-out-of-bounds error. The issue manifests as a read of size 1 at an invalid memory address, causing instability or potential kernel crashes. The root cause is the lack of a proper check on the string length before its usage in strlen and related string operations. The vulnerability was detected in Linux kernel version 6.7.0-rc7 and is reproducible in environments such as QEMU virtual machines. The fix involves adding a validation step to ensure the string is not empty before processing, thereby preventing the out-of-bounds read. While no known exploits are reported in the wild, the vulnerability affects the core Linux kernel networking subsystem, which is widely used across many Linux distributions and environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected bonding driver versions. Network bonding is commonly used in enterprise environments to aggregate multiple network interfaces for redundancy and increased throughput. An out-of-bounds read in kernel space can lead to system instability, kernel panics, or crashes, potentially causing denial of service (DoS) conditions. Although this vulnerability does not directly indicate privilege escalation or remote code execution, the resulting kernel instability can disrupt critical network services, impacting availability. Organizations relying on Linux-based servers, network appliances, or virtualized environments that utilize bonding for network resilience could experience outages or degraded performance. Additionally, the vulnerability could be leveraged as part of a multi-stage attack chain if combined with other exploits, increasing the risk to confidentiality and integrity indirectly. The lack of known exploits reduces immediate threat but does not eliminate the risk, especially in high-security environments where kernel stability is paramount.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions where this vulnerability is patched. Since the fix involves adding a string length check in the bonding driver, applying the latest stable kernel releases or vendor-provided security patches is essential. For environments where immediate patching is not feasible, administrators should consider disabling the bonding driver or avoiding the use of ARP IP target options in bonding configurations as a temporary workaround. Monitoring kernel logs for KASAN slab-out-of-bounds errors can help detect attempts to trigger this vulnerability. Network segmentation and limiting access to systems with bonding configurations reduce exposure. Additionally, organizations should implement rigorous testing of kernel updates in staging environments to ensure stability before deployment. Maintaining up-to-date intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions can aid in identifying anomalous behavior related to kernel faults. Finally, documenting and auditing network bonding configurations will help identify systems at risk and prioritize patching efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2024-39487: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it.
AI-Powered Analysis
Technical Analysis
CVE-2024-39487 is a vulnerability identified in the Linux kernel's bonding driver, specifically within the function bond_option_arp_ip_targets_set(). This function is responsible for handling ARP IP target options in network bonding configurations. The vulnerability arises due to an out-of-bounds read when the input string (newval->string) is empty. In such cases, the code attempts to read the byte immediately following the string (newval->string+1), which is outside the allocated memory boundary. This leads to a kernel memory read beyond the intended buffer, triggering a Kernel Address Sanitizer (KASAN) slab-out-of-bounds error. The issue manifests as a read of size 1 at an invalid memory address, causing instability or potential kernel crashes. The root cause is the lack of a proper check on the string length before its usage in strlen and related string operations. The vulnerability was detected in Linux kernel version 6.7.0-rc7 and is reproducible in environments such as QEMU virtual machines. The fix involves adding a validation step to ensure the string is not empty before processing, thereby preventing the out-of-bounds read. While no known exploits are reported in the wild, the vulnerability affects the core Linux kernel networking subsystem, which is widely used across many Linux distributions and environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected bonding driver versions. Network bonding is commonly used in enterprise environments to aggregate multiple network interfaces for redundancy and increased throughput. An out-of-bounds read in kernel space can lead to system instability, kernel panics, or crashes, potentially causing denial of service (DoS) conditions. Although this vulnerability does not directly indicate privilege escalation or remote code execution, the resulting kernel instability can disrupt critical network services, impacting availability. Organizations relying on Linux-based servers, network appliances, or virtualized environments that utilize bonding for network resilience could experience outages or degraded performance. Additionally, the vulnerability could be leveraged as part of a multi-stage attack chain if combined with other exploits, increasing the risk to confidentiality and integrity indirectly. The lack of known exploits reduces immediate threat but does not eliminate the risk, especially in high-security environments where kernel stability is paramount.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions where this vulnerability is patched. Since the fix involves adding a string length check in the bonding driver, applying the latest stable kernel releases or vendor-provided security patches is essential. For environments where immediate patching is not feasible, administrators should consider disabling the bonding driver or avoiding the use of ARP IP target options in bonding configurations as a temporary workaround. Monitoring kernel logs for KASAN slab-out-of-bounds errors can help detect attempts to trigger this vulnerability. Network segmentation and limiting access to systems with bonding configurations reduce exposure. Additionally, organizations should implement rigorous testing of kernel updates in staging environments to ensure stability before deployment. Maintaining up-to-date intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions can aid in identifying anomalous behavior related to kernel faults. Finally, documenting and auditing network bonding configurations will help identify systems at risk and prioritize patching efforts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-25T14:23:23.747Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2d16
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:42:00 PM
Last updated: 8/12/2025, 3:33:04 AM
Views: 17
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.