CVE-2024-40958: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
AI Analysis
Technical Summary
CVE-2024-40958 is a vulnerability identified in the Linux kernel, specifically related to the network namespace (netns) reference counting mechanism. The flaw arises in the function get_net_ns(), which improperly handles a zero reference count on a network namespace object. This leads to a use-after-free condition, as demonstrated by the Syzkaller fuzzing tool triggering a warning: "refcount_t: addition on 0; use-after-free." The vulnerability occurs when the kernel attempts to increment the reference count of a network namespace that has already been released (reference count zero), resulting in undefined behavior and potential kernel panic. The detailed kernel logs show that the issue manifests during operations involving TUN/TAP virtual network devices, particularly when moving a TUN device between network namespaces (e.g., via "ip link set tun0 netns ns1"). The root cause is that get_net_ns() calls get_net() which performs an addition on a zero refcount, leading to a use-after-free. The recommended fix is to replace get_net() with maybe_get_net() in get_net_ns(), which safely handles zero reference counts by returning NULL instead of incrementing. This vulnerability can cause kernel panics and denial of service (DoS) conditions, potentially destabilizing systems running vulnerable Linux kernel versions. The affected versions are identified by specific git commit hashes, indicating this is a recent regression or flaw in the Linux kernel source. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernels with TUN/TAP devices and network namespaces in use. Such configurations are common in cloud infrastructure, virtualization platforms, container orchestration environments (e.g., Kubernetes), and VPN services. Exploitation could allow an attacker with local access or the ability to trigger specific ioctl calls on TUN devices to cause kernel panics, resulting in denial of service. This can disrupt critical services, especially in sectors relying heavily on Linux-based networking and virtualization such as telecommunications, finance, and cloud service providers. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting instability and DoS can impact availability and operational continuity. Given the widespread use of Linux in European data centers and enterprise environments, unpatched systems could face service outages and increased operational risk. Additionally, organizations using containers or network namespaces extensively may see amplified impact due to the nature of the flaw affecting namespace reference counting.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix replacing get_net() with maybe_get_net() in get_net_ns(). Monitor kernel mailing lists and vendor advisories for patches. 2. Kernel version management: Avoid running release candidate or custom kernels (such as 6.10.0-rc3) in production environments until this issue is resolved. 3. Limit access: Restrict local user access to systems with TUN/TAP devices and network namespace operations to trusted administrators only. 4. Harden container and virtualization environments: Implement strict namespace and device access controls to minimize attack surface. 5. Monitoring and alerting: Deploy kernel crash monitoring tools and alert on kernel panics or refcount warnings to detect exploitation attempts early. 6. Network namespace usage review: Audit and minimize unnecessary use of network namespaces and TUN devices where possible to reduce exposure. 7. Incident response readiness: Prepare for potential denial of service incidents by ensuring redundancy and failover mechanisms are in place for critical Linux-based services.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40958: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
AI-Powered Analysis
Technical Analysis
CVE-2024-40958 is a vulnerability identified in the Linux kernel, specifically related to the network namespace (netns) reference counting mechanism. The flaw arises in the function get_net_ns(), which improperly handles a zero reference count on a network namespace object. This leads to a use-after-free condition, as demonstrated by the Syzkaller fuzzing tool triggering a warning: "refcount_t: addition on 0; use-after-free." The vulnerability occurs when the kernel attempts to increment the reference count of a network namespace that has already been released (reference count zero), resulting in undefined behavior and potential kernel panic. The detailed kernel logs show that the issue manifests during operations involving TUN/TAP virtual network devices, particularly when moving a TUN device between network namespaces (e.g., via "ip link set tun0 netns ns1"). The root cause is that get_net_ns() calls get_net() which performs an addition on a zero refcount, leading to a use-after-free. The recommended fix is to replace get_net() with maybe_get_net() in get_net_ns(), which safely handles zero reference counts by returning NULL instead of incrementing. This vulnerability can cause kernel panics and denial of service (DoS) conditions, potentially destabilizing systems running vulnerable Linux kernel versions. The affected versions are identified by specific git commit hashes, indicating this is a recent regression or flaw in the Linux kernel source. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernels with TUN/TAP devices and network namespaces in use. Such configurations are common in cloud infrastructure, virtualization platforms, container orchestration environments (e.g., Kubernetes), and VPN services. Exploitation could allow an attacker with local access or the ability to trigger specific ioctl calls on TUN devices to cause kernel panics, resulting in denial of service. This can disrupt critical services, especially in sectors relying heavily on Linux-based networking and virtualization such as telecommunications, finance, and cloud service providers. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting instability and DoS can impact availability and operational continuity. Given the widespread use of Linux in European data centers and enterprise environments, unpatched systems could face service outages and increased operational risk. Additionally, organizations using containers or network namespaces extensively may see amplified impact due to the nature of the flaw affecting namespace reference counting.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix replacing get_net() with maybe_get_net() in get_net_ns(). Monitor kernel mailing lists and vendor advisories for patches. 2. Kernel version management: Avoid running release candidate or custom kernels (such as 6.10.0-rc3) in production environments until this issue is resolved. 3. Limit access: Restrict local user access to systems with TUN/TAP devices and network namespace operations to trusted administrators only. 4. Harden container and virtualization environments: Implement strict namespace and device access controls to minimize attack surface. 5. Monitoring and alerting: Deploy kernel crash monitoring tools and alert on kernel panics or refcount warnings to detect exploitation attempts early. 6. Network namespace usage review: Audit and minimize unnecessary use of network namespaces and TUN devices where possible to reduce exposure. 7. Incident response readiness: Prepare for potential denial of service incidents by ensuring redundancy and failover mechanisms are in place for critical Linux-based services.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.593Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe14d4
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:41:48 AM
Last updated: 7/31/2025, 3:17:26 AM
Views: 8
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.