CVE-2024-40981: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 ---truncated---
AI Analysis
Technical Summary
CVE-2024-40981 is a vulnerability identified in the Linux kernel specifically within the batman-adv (Better Approach To Mobile Adhoc Networking advanced) module. The issue arises in the function batadv_purge_orig_ref(), which is responsible for purging originator references in the batman-adv routing protocol implementation. The vulnerability manifests as a soft lockup, where the CPU becomes stuck for an extended period (e.g., 27 seconds as reported) due to excessive time spent in this function. This behavior is indicated by watchdog timer warnings and kernel stack traces showing the CPU stuck in kernel softirq context. The root cause of the excessive processing time is not fully understood, but the vulnerability allows attackers or system conditions to trigger prolonged CPU lockups, potentially leading to denial of service (DoS) conditions. The issue affects Linux kernel versions including the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely other versions containing the vulnerable batman-adv code. The vulnerability does not currently have known exploits in the wild, and no CVSS score has been assigned. The problem is particularly relevant for systems using the batman-adv mesh networking protocol, which is often deployed in wireless mesh networks and specialized networking environments. The vulnerability is triggered internally in kernel workqueues and softirq contexts, indicating that exploitation or triggering does not require user interaction but may require specific network conditions or configurations involving batman-adv. The patch or mitigation involves avoiding spending excessive time in the batadv_purge_orig_ref() function to prevent CPU soft lockups and improve system stability.
Potential Impact
For European organizations, the impact of CVE-2024-40981 primarily concerns systems that utilize the batman-adv mesh networking protocol within their Linux-based infrastructure. This includes organizations operating wireless mesh networks for critical communications, IoT deployments, or specialized network topologies in sectors such as telecommunications, public safety, smart city infrastructure, and research institutions. The vulnerability can cause CPU soft lockups leading to system unresponsiveness or denial of service, which may disrupt network availability and degrade operational continuity. While the vulnerability does not appear to allow privilege escalation or direct data compromise, the resulting DoS can impact service delivery and availability of networked systems. European organizations relying on Linux kernel versions with the vulnerable batman-adv module are at risk of operational disruptions, especially if they deploy mesh networks in production environments. The lack of known exploits reduces immediate risk, but the potential for accidental or malicious triggering of the soft lockup means organizations should prioritize patching to maintain network reliability. The impact is more pronounced in environments where high availability and real-time network responsiveness are critical.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update affected Linux systems to the latest kernel versions where the batman-adv vulnerability has been patched. Monitor Linux kernel mailing lists and vendor advisories for official patches. 2. Disable Batman-adv if Not Needed: If batman-adv mesh networking is not required, disable or remove the module to eliminate exposure. 3. Network Configuration Review: For systems using batman-adv, review network configurations to minimize conditions that could trigger excessive purging operations. 4. Monitor System Logs: Implement monitoring for kernel soft lockup warnings and watchdog timer messages to detect early signs of the issue. 5. Limit Workload: Avoid high network loads or configurations that cause frequent originator purging until patches are applied. 6. Test Patches in Controlled Environments: Before deploying kernel updates broadly, test patches in staging environments to ensure stability and compatibility. 7. Engage with Vendors: For commercial Linux distributions, coordinate with vendors for timely patch releases and support. 8. Incident Response Preparedness: Prepare response plans for potential DoS incidents related to this vulnerability, including system reboot procedures and fallback network paths.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2024-40981: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-40981 is a vulnerability identified in the Linux kernel specifically within the batman-adv (Better Approach To Mobile Adhoc Networking advanced) module. The issue arises in the function batadv_purge_orig_ref(), which is responsible for purging originator references in the batman-adv routing protocol implementation. The vulnerability manifests as a soft lockup, where the CPU becomes stuck for an extended period (e.g., 27 seconds as reported) due to excessive time spent in this function. This behavior is indicated by watchdog timer warnings and kernel stack traces showing the CPU stuck in kernel softirq context. The root cause of the excessive processing time is not fully understood, but the vulnerability allows attackers or system conditions to trigger prolonged CPU lockups, potentially leading to denial of service (DoS) conditions. The issue affects Linux kernel versions including the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely other versions containing the vulnerable batman-adv code. The vulnerability does not currently have known exploits in the wild, and no CVSS score has been assigned. The problem is particularly relevant for systems using the batman-adv mesh networking protocol, which is often deployed in wireless mesh networks and specialized networking environments. The vulnerability is triggered internally in kernel workqueues and softirq contexts, indicating that exploitation or triggering does not require user interaction but may require specific network conditions or configurations involving batman-adv. The patch or mitigation involves avoiding spending excessive time in the batadv_purge_orig_ref() function to prevent CPU soft lockups and improve system stability.
Potential Impact
For European organizations, the impact of CVE-2024-40981 primarily concerns systems that utilize the batman-adv mesh networking protocol within their Linux-based infrastructure. This includes organizations operating wireless mesh networks for critical communications, IoT deployments, or specialized network topologies in sectors such as telecommunications, public safety, smart city infrastructure, and research institutions. The vulnerability can cause CPU soft lockups leading to system unresponsiveness or denial of service, which may disrupt network availability and degrade operational continuity. While the vulnerability does not appear to allow privilege escalation or direct data compromise, the resulting DoS can impact service delivery and availability of networked systems. European organizations relying on Linux kernel versions with the vulnerable batman-adv module are at risk of operational disruptions, especially if they deploy mesh networks in production environments. The lack of known exploits reduces immediate risk, but the potential for accidental or malicious triggering of the soft lockup means organizations should prioritize patching to maintain network reliability. The impact is more pronounced in environments where high availability and real-time network responsiveness are critical.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update affected Linux systems to the latest kernel versions where the batman-adv vulnerability has been patched. Monitor Linux kernel mailing lists and vendor advisories for official patches. 2. Disable Batman-adv if Not Needed: If batman-adv mesh networking is not required, disable or remove the module to eliminate exposure. 3. Network Configuration Review: For systems using batman-adv, review network configurations to minimize conditions that could trigger excessive purging operations. 4. Monitor System Logs: Implement monitoring for kernel soft lockup warnings and watchdog timer messages to detect early signs of the issue. 5. Limit Workload: Avoid high network loads or configurations that cause frequent originator purging until patches are applied. 6. Test Patches in Controlled Environments: Before deploying kernel updates broadly, test patches in staging environments to ensure stability and compatibility. 7. Engage with Vendors: For commercial Linux distributions, coordinate with vendors for timely patch releases and support. 8. Incident Response Preparedness: Prepare response plans for potential DoS incidents related to this vulnerability, including system reboot procedures and fallback network paths.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.604Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe158a
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:09:44 AM
Last updated: 8/18/2025, 11:23:02 PM
Views: 12
Related Threats
CVE-2025-9176: OS Command Injection in neurobin shc
MediumCVE-2025-9175: Stack-based Buffer Overflow in neurobin shc
MediumCVE-2025-9174: OS Command Injection in neurobin shc
MediumCVE-2025-9171: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9170: Cross Site Scripting in SolidInvoice
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.