CVE-2024-41040: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] tcf_ct_act+0x886/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 __irq_exit_rcu+0x82/0xc0 irq_exit_rcu+0xe/0x20 common_interrupt+0xa1/0xb0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 Allocated by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_alloc_info+0x1e/0x40 __kasan_krealloc+0x133/0x190 krealloc+0xaa/0x130 nf_ct_ext_add+0xed/0x230 [nf_conntrack] tcf_ct_act+0x1095/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 Freed by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_free_info+0x2b/0x60 ____kasan_slab_free+0x180/0x1f0 __kasan_slab_free+0x12/0x30 slab_free_freelist_hook+0xd2/0x1a0 __kmem_cache_free+0x1a2/0x2f0 kfree+0x78/0x120 nf_conntrack_free+0x74/0x130 [nf_conntrack] nf_ct_destroy+0xb2/0x140 [nf_conntrack] __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack] nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack] __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack] tcf_ct_act+0x12ad/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 The ct may be dropped if a clash has been resolved but is still passed to the tcf_ct_flow_table_process_conn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack.
AI Analysis
Technical Summary
CVE-2024-41040 is a use-after-free (UAF) vulnerability identified in the Linux kernel's networking subsystem, specifically within the net/sched (network scheduler) component. The flaw arises in the handling of connection tracking (conntrack) flows in the tcf_ct_flow_table_process_conn function, part of the act_ct module used for connection tracking actions in traffic control. The vulnerability occurs when a connection tracking entry (ct) is freed after a clash resolution but is still referenced later in the processing flow, leading to a use-after-free condition. This is confirmed by Kernel Address Sanitizer (KASAN) reports showing slab-use-after-free errors during the processing of network packets. The root cause is that after resolving a clash in the conntrack table, the ct pointer is not re-acquired from the socket buffer (skb), resulting in stale references. This can lead to memory corruption, potentially causing kernel crashes or enabling attackers to execute arbitrary code with kernel privileges. The flaw is triggered during ingress packet classification and connection tracking actions, which are common in Linux-based routers, firewalls, and network appliances. The affected Linux kernel versions include multiple recent commits identified by their hashes, indicating that this is a recent regression or flaw introduced in newer kernel versions. No public exploits are known at this time, and no CVSS score has been assigned yet. The vulnerability impacts the confidentiality, integrity, and availability of affected systems due to the possibility of kernel memory corruption and privilege escalation. Exploitation requires the ability to send specially crafted network packets to a vulnerable system with connection tracking and traffic control modules enabled, which is common in many Linux deployments handling network traffic.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises and service providers relying on Linux-based network infrastructure such as firewalls, routers, VPN gateways, and cloud servers. Exploitation could lead to denial of service through kernel crashes or potentially allow attackers to gain kernel-level privileges, compromising the entire system. This could result in data breaches, disruption of critical services, and lateral movement within corporate networks. Given the widespread use of Linux in European data centers, telecommunications, and government networks, the impact could be broad. Organizations handling sensitive personal data under GDPR may face compliance risks if this vulnerability is exploited to exfiltrate or manipulate data. Additionally, critical infrastructure operators using Linux-based network devices could experience operational disruptions. The lack of known exploits currently reduces immediate risk but also means organizations should proactively patch to prevent future attacks once exploit code becomes available.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the use-after-free condition as soon as they are available from trusted sources such as the Linux kernel mailing list or vendor security advisories. 2. For organizations using commercial Linux distributions, monitor vendor security bulletins and update kernel packages promptly. 3. Disable or restrict the use of connection tracking and traffic control modules (act_ct, cls_flower) if they are not required for network operations to reduce the attack surface. 4. Employ network segmentation and firewall rules to limit exposure of vulnerable Linux systems to untrusted networks, minimizing the ability of attackers to send malicious packets. 5. Use kernel hardening features such as Kernel Address Sanitizer (KASAN) and other runtime protections in testing environments to detect similar issues early. 6. Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to network packet processing. 7. Implement intrusion detection systems (IDS) capable of detecting anomalous network traffic patterns that might indicate exploitation attempts targeting conntrack or traffic control subsystems. 8. Maintain regular backups and incident response plans to quickly recover from potential compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-41040: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] tcf_ct_act+0x886/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 __irq_exit_rcu+0x82/0xc0 irq_exit_rcu+0xe/0x20 common_interrupt+0xa1/0xb0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 Allocated by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_alloc_info+0x1e/0x40 __kasan_krealloc+0x133/0x190 krealloc+0xaa/0x130 nf_ct_ext_add+0xed/0x230 [nf_conntrack] tcf_ct_act+0x1095/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 Freed by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_free_info+0x2b/0x60 ____kasan_slab_free+0x180/0x1f0 __kasan_slab_free+0x12/0x30 slab_free_freelist_hook+0xd2/0x1a0 __kmem_cache_free+0x1a2/0x2f0 kfree+0x78/0x120 nf_conntrack_free+0x74/0x130 [nf_conntrack] nf_ct_destroy+0xb2/0x140 [nf_conntrack] __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack] nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack] __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack] tcf_ct_act+0x12ad/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 The ct may be dropped if a clash has been resolved but is still passed to the tcf_ct_flow_table_process_conn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack.
AI-Powered Analysis
Technical Analysis
CVE-2024-41040 is a use-after-free (UAF) vulnerability identified in the Linux kernel's networking subsystem, specifically within the net/sched (network scheduler) component. The flaw arises in the handling of connection tracking (conntrack) flows in the tcf_ct_flow_table_process_conn function, part of the act_ct module used for connection tracking actions in traffic control. The vulnerability occurs when a connection tracking entry (ct) is freed after a clash resolution but is still referenced later in the processing flow, leading to a use-after-free condition. This is confirmed by Kernel Address Sanitizer (KASAN) reports showing slab-use-after-free errors during the processing of network packets. The root cause is that after resolving a clash in the conntrack table, the ct pointer is not re-acquired from the socket buffer (skb), resulting in stale references. This can lead to memory corruption, potentially causing kernel crashes or enabling attackers to execute arbitrary code with kernel privileges. The flaw is triggered during ingress packet classification and connection tracking actions, which are common in Linux-based routers, firewalls, and network appliances. The affected Linux kernel versions include multiple recent commits identified by their hashes, indicating that this is a recent regression or flaw introduced in newer kernel versions. No public exploits are known at this time, and no CVSS score has been assigned yet. The vulnerability impacts the confidentiality, integrity, and availability of affected systems due to the possibility of kernel memory corruption and privilege escalation. Exploitation requires the ability to send specially crafted network packets to a vulnerable system with connection tracking and traffic control modules enabled, which is common in many Linux deployments handling network traffic.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises and service providers relying on Linux-based network infrastructure such as firewalls, routers, VPN gateways, and cloud servers. Exploitation could lead to denial of service through kernel crashes or potentially allow attackers to gain kernel-level privileges, compromising the entire system. This could result in data breaches, disruption of critical services, and lateral movement within corporate networks. Given the widespread use of Linux in European data centers, telecommunications, and government networks, the impact could be broad. Organizations handling sensitive personal data under GDPR may face compliance risks if this vulnerability is exploited to exfiltrate or manipulate data. Additionally, critical infrastructure operators using Linux-based network devices could experience operational disruptions. The lack of known exploits currently reduces immediate risk but also means organizations should proactively patch to prevent future attacks once exploit code becomes available.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the use-after-free condition as soon as they are available from trusted sources such as the Linux kernel mailing list or vendor security advisories. 2. For organizations using commercial Linux distributions, monitor vendor security bulletins and update kernel packages promptly. 3. Disable or restrict the use of connection tracking and traffic control modules (act_ct, cls_flower) if they are not required for network operations to reduce the attack surface. 4. Employ network segmentation and firewall rules to limit exposure of vulnerable Linux systems to untrusted networks, minimizing the ability of attackers to send malicious packets. 5. Use kernel hardening features such as Kernel Address Sanitizer (KASAN) and other runtime protections in testing environments to detect similar issues early. 6. Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to network packet processing. 7. Implement intrusion detection systems (IDS) capable of detecting anomalous network traffic patterns that might indicate exploitation attempts targeting conntrack or traffic control subsystems. 8. Maintain regular backups and incident response plans to quickly recover from potential compromises.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.621Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddf3f
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:25:56 AM
Last updated: 8/16/2025, 6:45:45 AM
Views: 17
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.