CVE-2024-41007 is a vulnerability identified in the Linux kernel's TCP networking stack, specifically related to the handling of TCP retransmissions when the TCP_USER_TIMEOUT socket option is in use. TCP_USER_TIMEOUT is a socket option that allows an application to specify the maximum amount of time that transmitted data may remain unacknowledged before the connection is forcefully closed. The vulnerability arises when a TCP socket has TCP_USER_TIMEOUT enabled and the remote peer advertises a zero window size (i.e., it cannot receive data temporarily). Under these conditions, the tcp_retransmit_timer() function may retransmit packets at an abnormally high frequency—every two jiffies (approximately 2 milliseconds on systems where HZ=1000)—for about four minutes after the TCP_USER_TIMEOUT period has expired. This behavior deviates from the expected exponential backoff retransmission strategy, potentially causing excessive retransmissions and increased CPU/network resource consumption. The root cause is that the function tcp_rtx_probe0_timed_out() did not properly consider the icsk->icsk_user_timeout value, leading to retransmissions continuing beyond the user-specified timeout. Prior to a related commit (e89688e3e978), the issue lasted approximately two minutes instead of four. The vulnerability has been addressed by ensuring that tcp_rtx_probe0_timed_out() respects the user timeout setting, thus preventing excessive retransmissions after the timeout period. No known exploits are currently reported in the wild. The affected versions are identified by specific Linux kernel commit hashes, indicating that this issue pertains to recent kernel versions. This vulnerability does not have an assigned CVSS score yet.

For European organizations, this vulnerability could lead to degraded network performance and increased resource utilization on Linux-based servers and infrastructure devices that utilize TCP_USER_TIMEOUT. Systems affected may experience excessive CPU load and network congestion due to rapid retransmissions, potentially impacting availability and performance of critical services. This could be particularly problematic for data centers, cloud providers, and enterprises relying on Linux servers for web hosting, database services, or internal applications. While the vulnerability does not directly allow unauthorized access or data compromise, the induced resource exhaustion could be leveraged as part of a denial-of-service (DoS) attack vector, especially in environments with high network traffic or where TCP_USER_TIMEOUT is configured aggressively. Given the widespread use of Linux in European IT infrastructure, the impact could be significant if exploited at scale or combined with other attack techniques. However, the lack of known exploits and the requirement for specific TCP socket configurations somewhat limit the immediate risk.

European organizations should promptly apply the Linux kernel patches that address this vulnerability once they are available from their distribution vendors. Until patches are applied, administrators should audit and review the use of TCP_USER_TIMEOUT socket options in their applications and services, considering disabling or adjusting this setting if feasible to reduce exposure. Network monitoring should be enhanced to detect abnormal retransmission patterns or spikes in CPU/network utilization that could indicate exploitation attempts. Additionally, implementing rate limiting and traffic shaping at network boundaries can help mitigate potential resource exhaustion. For critical systems, consider deploying kernel versions that have backported the fix or using vendor-provided security updates. Collaboration with Linux distribution maintainers to ensure timely patch deployment is essential. Finally, educating development and operations teams about the implications of TCP_USER_TIMEOUT misuse can prevent inadvertent exposure.