CVE-2024-39500: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sock_map: avoid race between sock_map_close and sk_psock_put sk_psock_get will return NULL if the refcount of psock has gone to 0, which will happen when the last call of sk_psock_put is done. However, sk_psock_drop may not have finished yet, so the close callback will still point to sock_map_close despite psock being NULL. This can be reproduced with a thread deleting an element from the sock map, while the second one creates a socket, adds it to the map and closes it. That will trigger the WARN_ON_ONCE: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701 Modules linked in: CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701 Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02 RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293 RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000 RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0 RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3 R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840 R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870 FS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0 Call Trace: <TASK> unix_release+0x87/0xc0 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0xbe/0x240 net/socket.c:1421 __fput+0x42b/0x8a0 fs/file_table.c:422 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1541 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb37d618070 Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070 RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Use sk_psock, which will only check that the pointer is not been set to NULL yet, which should only happen after the callbacks are restored. If, then, a reference can still be gotten, we may call sk_psock_stop and cancel psock->work. As suggested by Paolo Abeni, reorder the condition so the control flow is less convoluted. After that change, the reproducer does not trigger the WARN_ON_ONCE anymore.
AI Analysis
Technical Summary
CVE-2024-39500 is a race condition vulnerability in the Linux kernel's sock_map implementation, specifically involving the interaction between sock_map_close and sk_psock_put/drop functions. The vulnerability arises because sk_psock_get can return NULL when the reference count of a psock (packet socket) reaches zero, which occurs after the last call to sk_psock_put. However, the sk_psock_drop function may not have completed yet, leaving the close callback still pointing to sock_map_close despite the psock pointer being NULL. This creates a race condition when one thread deletes an element from the sock map while another concurrently creates a socket, adds it to the map, and closes it. This race can trigger a kernel warning (WARN_ON_ONCE) and potentially lead to undefined behavior or kernel instability. The root cause is a timing window where the psock pointer is NULL but callbacks have not been cleared, causing the kernel to attempt operations on invalid pointers. The fix involves using sk_psock which checks that the pointer has not been set to NULL prematurely and reordering control flow to reduce complexity and prevent the race. After applying the patch, the race condition and associated warnings no longer occur. This vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using the sock_map feature, which is used for socket map operations in networking subsystems.
Potential Impact
For European organizations, the impact of CVE-2024-39500 primarily concerns systems running vulnerable Linux kernel versions that utilize the sock_map feature, which is common in networking infrastructure and cloud environments. Exploitation could lead to kernel instability, crashes, or denial of service (DoS) conditions, potentially disrupting critical network services and applications. While no known exploits are reported in the wild, the vulnerability could be leveraged in multi-threaded environments or containerized/cloud workloads where concurrent socket operations are frequent. This could affect data centers, telecom providers, cloud service providers, and enterprises relying on Linux-based networking stacks. The impact on confidentiality and integrity is limited as the vulnerability does not directly allow code execution or privilege escalation; however, availability could be significantly affected. Disruptions in network services could lead to operational downtime, impacting business continuity and service level agreements. Given the widespread use of Linux in European IT infrastructure, especially in cloud and telecom sectors, timely patching is critical to prevent potential exploitation and service disruption.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-39500. Specifically, kernel maintainers and system administrators should apply the latest stable Linux kernel releases or backported patches that address the race condition in sock_map_close and sk_psock_put/drop. For environments where immediate patching is not feasible, mitigating risk involves limiting concurrent socket map operations and avoiding workloads that heavily rely on sock_map features until patched. Additionally, organizations should implement robust kernel crash monitoring and alerting to detect any WARN_ON_ONCE or kernel warnings indicative of this race condition. Employing kernel live patching solutions where available can reduce downtime associated with kernel upgrades. Network segmentation and strict access controls can also reduce the attack surface by limiting untrusted code execution or multi-threaded socket operations by unauthorized users. Finally, maintaining up-to-date inventories of Linux kernel versions deployed across infrastructure will help prioritize patch deployment in the most critical systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-39500: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sock_map: avoid race between sock_map_close and sk_psock_put sk_psock_get will return NULL if the refcount of psock has gone to 0, which will happen when the last call of sk_psock_put is done. However, sk_psock_drop may not have finished yet, so the close callback will still point to sock_map_close despite psock being NULL. This can be reproduced with a thread deleting an element from the sock map, while the second one creates a socket, adds it to the map and closes it. That will trigger the WARN_ON_ONCE: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701 Modules linked in: CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701 Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02 RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293 RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000 RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0 RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3 R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840 R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870 FS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0 Call Trace: <TASK> unix_release+0x87/0xc0 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0xbe/0x240 net/socket.c:1421 __fput+0x42b/0x8a0 fs/file_table.c:422 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1541 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb37d618070 Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070 RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Use sk_psock, which will only check that the pointer is not been set to NULL yet, which should only happen after the callbacks are restored. If, then, a reference can still be gotten, we may call sk_psock_stop and cancel psock->work. As suggested by Paolo Abeni, reorder the condition so the control flow is less convoluted. After that change, the reproducer does not trigger the WARN_ON_ONCE anymore.
AI-Powered Analysis
Technical Analysis
CVE-2024-39500 is a race condition vulnerability in the Linux kernel's sock_map implementation, specifically involving the interaction between sock_map_close and sk_psock_put/drop functions. The vulnerability arises because sk_psock_get can return NULL when the reference count of a psock (packet socket) reaches zero, which occurs after the last call to sk_psock_put. However, the sk_psock_drop function may not have completed yet, leaving the close callback still pointing to sock_map_close despite the psock pointer being NULL. This creates a race condition when one thread deletes an element from the sock map while another concurrently creates a socket, adds it to the map, and closes it. This race can trigger a kernel warning (WARN_ON_ONCE) and potentially lead to undefined behavior or kernel instability. The root cause is a timing window where the psock pointer is NULL but callbacks have not been cleared, causing the kernel to attempt operations on invalid pointers. The fix involves using sk_psock which checks that the pointer has not been set to NULL prematurely and reordering control flow to reduce complexity and prevent the race. After applying the patch, the race condition and associated warnings no longer occur. This vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using the sock_map feature, which is used for socket map operations in networking subsystems.
Potential Impact
For European organizations, the impact of CVE-2024-39500 primarily concerns systems running vulnerable Linux kernel versions that utilize the sock_map feature, which is common in networking infrastructure and cloud environments. Exploitation could lead to kernel instability, crashes, or denial of service (DoS) conditions, potentially disrupting critical network services and applications. While no known exploits are reported in the wild, the vulnerability could be leveraged in multi-threaded environments or containerized/cloud workloads where concurrent socket operations are frequent. This could affect data centers, telecom providers, cloud service providers, and enterprises relying on Linux-based networking stacks. The impact on confidentiality and integrity is limited as the vulnerability does not directly allow code execution or privilege escalation; however, availability could be significantly affected. Disruptions in network services could lead to operational downtime, impacting business continuity and service level agreements. Given the widespread use of Linux in European IT infrastructure, especially in cloud and telecom sectors, timely patching is critical to prevent potential exploitation and service disruption.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-39500. Specifically, kernel maintainers and system administrators should apply the latest stable Linux kernel releases or backported patches that address the race condition in sock_map_close and sk_psock_put/drop. For environments where immediate patching is not feasible, mitigating risk involves limiting concurrent socket map operations and avoiding workloads that heavily rely on sock_map features until patched. Additionally, organizations should implement robust kernel crash monitoring and alerting to detect any WARN_ON_ONCE or kernel warnings indicative of this race condition. Employing kernel live patching solutions where available can reduce downtime associated with kernel upgrades. Network segmentation and strict access controls can also reduce the attack surface by limiting untrusted code execution or multi-threaded socket operations by unauthorized users. Finally, maintaining up-to-date inventories of Linux kernel versions deployed across infrastructure will help prioritize patch deployment in the most critical systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-25T14:23:23.751Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2d7b
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:55:11 PM
Last updated: 8/18/2025, 11:34:58 PM
Views: 14
Related Threats
CVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-52451: CWE-20 Improper Input Validation in Salesforce Tableau Server
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.