CVE-2024-40954: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data().
AI Analysis
Technical Summary
CVE-2024-40954 is a use-after-free vulnerability in the Linux kernel's networking subsystem, specifically related to socket creation and release. The flaw occurs when a socket creation fails but leaves behind a dangling pointer to a socket (sk) structure. This can be triggered by attaching an fentry probe to the __sock_release() function, where the probe calls the bpf_get_socket_cookie() helper, combined with running traceroute with the -I option on a freshly booted virtual machine. The vulnerability is detected by Kernel Address Sanitizer (KASAN) as a slab-use-after-free in the __sock_gen_cookie function, which is involved in generating a socket cookie used for socket identification. The root cause is that the struct socket reference is not cleared properly in sk_common_release(), which manages socket cleanup across all protocol families. This leads to a use-after-free condition when the socket is released but references remain, potentially allowing an attacker to read or manipulate freed memory. The vulnerability affects Linux kernel versions around 6.10.0-rc2 and likely other recent versions before the fix. The issue is technical and low-level, involving kernel memory management and BPF (Berkeley Packet Filter) helpers, which are used for advanced packet filtering and tracing. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged by local attackers or through crafted BPF programs to cause kernel crashes or potentially escalate privileges by corrupting kernel memory.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers, cloud infrastructure, and virtualized environments running vulnerable Linux kernels. Many European enterprises rely on Linux-based systems for critical infrastructure, including telecommunications, finance, healthcare, and government services. Exploitation could lead to denial of service via kernel crashes or potentially privilege escalation if combined with other vulnerabilities, threatening confidentiality, integrity, and availability of systems. The use of BPF and socket operations suggests that attackers with local access or the ability to run specific tracing or network diagnostic tools could exploit this flaw. This is particularly concerning for cloud providers and data centers in Europe, where multi-tenant environments and containerized workloads are common. The vulnerability could also affect embedded Linux devices used in industrial control systems or IoT deployments across Europe, potentially disrupting critical services.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Since the issue lies in socket release handling, kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. For environments where immediate patching is not feasible, restricting the use of BPF programs and limiting access to tracing tools like fentry probes and traceroute can reduce exploitation risk. Implementing strict access controls and monitoring for unusual kernel tracing or socket-related activities is advised. Additionally, enabling kernel hardening features such as KASAN in testing environments can help detect similar issues early. Organizations should also review and restrict container and VM privileges to prevent untrusted users from executing kernel probes or network diagnostic commands that could trigger the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-40954: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data().
AI-Powered Analysis
Technical Analysis
CVE-2024-40954 is a use-after-free vulnerability in the Linux kernel's networking subsystem, specifically related to socket creation and release. The flaw occurs when a socket creation fails but leaves behind a dangling pointer to a socket (sk) structure. This can be triggered by attaching an fentry probe to the __sock_release() function, where the probe calls the bpf_get_socket_cookie() helper, combined with running traceroute with the -I option on a freshly booted virtual machine. The vulnerability is detected by Kernel Address Sanitizer (KASAN) as a slab-use-after-free in the __sock_gen_cookie function, which is involved in generating a socket cookie used for socket identification. The root cause is that the struct socket reference is not cleared properly in sk_common_release(), which manages socket cleanup across all protocol families. This leads to a use-after-free condition when the socket is released but references remain, potentially allowing an attacker to read or manipulate freed memory. The vulnerability affects Linux kernel versions around 6.10.0-rc2 and likely other recent versions before the fix. The issue is technical and low-level, involving kernel memory management and BPF (Berkeley Packet Filter) helpers, which are used for advanced packet filtering and tracing. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged by local attackers or through crafted BPF programs to cause kernel crashes or potentially escalate privileges by corrupting kernel memory.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers, cloud infrastructure, and virtualized environments running vulnerable Linux kernels. Many European enterprises rely on Linux-based systems for critical infrastructure, including telecommunications, finance, healthcare, and government services. Exploitation could lead to denial of service via kernel crashes or potentially privilege escalation if combined with other vulnerabilities, threatening confidentiality, integrity, and availability of systems. The use of BPF and socket operations suggests that attackers with local access or the ability to run specific tracing or network diagnostic tools could exploit this flaw. This is particularly concerning for cloud providers and data centers in Europe, where multi-tenant environments and containerized workloads are common. The vulnerability could also affect embedded Linux devices used in industrial control systems or IoT deployments across Europe, potentially disrupting critical services.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Since the issue lies in socket release handling, kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. For environments where immediate patching is not feasible, restricting the use of BPF programs and limiting access to tracing tools like fentry probes and traceroute can reduce exploitation risk. Implementing strict access controls and monitoring for unusual kernel tracing or socket-related activities is advised. Additionally, enabling kernel hardening features such as KASAN in testing environments can help detect similar issues early. Organizations should also review and restrict container and VM privileges to prevent untrusted users from executing kernel probes or network diagnostic commands that could trigger the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.592Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe149d
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:41:10 AM
Last updated: 8/18/2025, 7:23:24 PM
Views: 11
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.