CVE-2024-41041: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). syzkaller triggered the warning [0] in udp_v4_early_demux(). In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount of the looked-up sk and use sock_pfree() as skb->destructor, so we check SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace period. Currently, SOCK_RCU_FREE is flagged for a bound socket after being put into the hash table. Moreover, the SOCK_RCU_FREE check is done too early in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race window: CPU1 CPU2 ---- ---- udp_v4_early_demux() udp_lib_get_port() | |- hlist_add_head_rcu() |- sk = __udp4_lib_demux_lookup() | |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk)); `- sock_set_flag(sk, SOCK_RCU_FREE) We had the same bug in TCP and fixed it in commit 871019b22d1b ("net: set SOCK_RCU_FREE before inserting socket into hashtable"). Let's apply the same fix for UDP. [0]: WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Modules linked in: CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52 RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001 RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680 R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349 ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624 __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738 netif_receive_skb_internal net/core/dev.c:5824 [inline] netif_receive_skb+0x271/0x300 net/core/dev.c:5884 tun_rx_batched drivers/net/tun.c:1549 [inline] tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002 tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x76f/0x8d0 fs/read_write.c:590 ksys_write+0xbf/0x190 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x41/0x50 fs/read_write.c:652 x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fc44a68bc1f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48 RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f R ---truncated---
AI Analysis
Technical Summary
CVE-2024-41041 is a vulnerability identified in the Linux kernel's UDP networking stack, specifically related to the handling of socket reference counting and the SOCK_RCU_FREE flag in the functions udp_v4_early_demux(), udp_v6_early_demux(), and sk_lookup(). The issue arises because the SOCK_RCU_FREE flag, which indicates that a socket is safe to access during the Read-Copy-Update (RCU) grace period, is set too late during socket insertion into the hash table. This timing creates a race condition between concurrent CPUs where one CPU may access a socket that has not yet been marked as safe, potentially leading to use-after-free or other memory safety issues. The vulnerability was discovered through syzkaller, a kernel fuzzing tool, which triggered warnings related to socket reference counting inconsistencies. The root cause is that the UDP code path did not set SOCK_RCU_FREE before inserting the socket into the hash table, unlike the TCP stack which had a similar bug fixed previously. The fix involves setting the SOCK_RCU_FREE flag earlier in the udp_lib_get_port() function to close the race window. Although the vulnerability does not have an assigned CVSS score, it affects the Linux kernel's core networking subsystem, which is critical for system stability and security. Exploitation could potentially lead to kernel crashes or privilege escalation if an attacker can trigger the race condition, but no known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions around 6.9.0 and possibly others using similar UDP socket handling code. This issue is technical and subtle, involving kernel concurrency and memory management in the networking stack.
Potential Impact
For European organizations, the impact of CVE-2024-41041 could be significant given the widespread use of Linux servers and infrastructure in critical sectors such as finance, telecommunications, government, and cloud services. Exploitation of this vulnerability could lead to denial of service via kernel crashes or potentially enable privilege escalation attacks if combined with other vulnerabilities, thereby compromising system integrity and availability. Since UDP is widely used for network services including DNS, VoIP, and streaming, the vulnerability could affect a broad range of applications and services. Organizations relying on Linux-based network appliances, firewalls, or container hosts could see disruptions or security breaches. The lack of known exploits reduces immediate risk, but the technical nature of the flaw means skilled attackers could develop exploits over time. Additionally, the vulnerability could be leveraged in targeted attacks against high-value infrastructure or critical national infrastructure within Europe, impacting confidentiality and operational continuity.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-41041. Specifically, ensure that kernel versions 6.9.0 and later incorporate the patch that sets SOCK_RCU_FREE earlier in udp_lib_get_port(). For environments where immediate patching is not feasible, organizations should implement network-level mitigations such as restricting UDP traffic to trusted sources and employing intrusion detection systems to monitor for anomalous UDP socket behavior. Additionally, kernel hardening techniques like enabling Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and using seccomp filters to limit exposure of UDP socket operations can reduce exploitation risk. Regularly auditing and monitoring kernel logs for warnings similar to those triggered by syzkaller can help detect attempts to exploit this race condition. For containerized environments, ensure that host kernels are patched and consider isolating UDP traffic within namespaces to limit attack surface. Finally, coordinate with Linux distribution vendors and maintain a robust patch management process to rapidly deploy kernel updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2024-41041: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). syzkaller triggered the warning [0] in udp_v4_early_demux(). In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount of the looked-up sk and use sock_pfree() as skb->destructor, so we check SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace period. Currently, SOCK_RCU_FREE is flagged for a bound socket after being put into the hash table. Moreover, the SOCK_RCU_FREE check is done too early in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race window: CPU1 CPU2 ---- ---- udp_v4_early_demux() udp_lib_get_port() | |- hlist_add_head_rcu() |- sk = __udp4_lib_demux_lookup() | |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk)); `- sock_set_flag(sk, SOCK_RCU_FREE) We had the same bug in TCP and fixed it in commit 871019b22d1b ("net: set SOCK_RCU_FREE before inserting socket into hashtable"). Let's apply the same fix for UDP. [0]: WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Modules linked in: CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52 RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001 RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680 R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349 ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624 __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738 netif_receive_skb_internal net/core/dev.c:5824 [inline] netif_receive_skb+0x271/0x300 net/core/dev.c:5884 tun_rx_batched drivers/net/tun.c:1549 [inline] tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002 tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x76f/0x8d0 fs/read_write.c:590 ksys_write+0xbf/0x190 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x41/0x50 fs/read_write.c:652 x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fc44a68bc1f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48 RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f R ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-41041 is a vulnerability identified in the Linux kernel's UDP networking stack, specifically related to the handling of socket reference counting and the SOCK_RCU_FREE flag in the functions udp_v4_early_demux(), udp_v6_early_demux(), and sk_lookup(). The issue arises because the SOCK_RCU_FREE flag, which indicates that a socket is safe to access during the Read-Copy-Update (RCU) grace period, is set too late during socket insertion into the hash table. This timing creates a race condition between concurrent CPUs where one CPU may access a socket that has not yet been marked as safe, potentially leading to use-after-free or other memory safety issues. The vulnerability was discovered through syzkaller, a kernel fuzzing tool, which triggered warnings related to socket reference counting inconsistencies. The root cause is that the UDP code path did not set SOCK_RCU_FREE before inserting the socket into the hash table, unlike the TCP stack which had a similar bug fixed previously. The fix involves setting the SOCK_RCU_FREE flag earlier in the udp_lib_get_port() function to close the race window. Although the vulnerability does not have an assigned CVSS score, it affects the Linux kernel's core networking subsystem, which is critical for system stability and security. Exploitation could potentially lead to kernel crashes or privilege escalation if an attacker can trigger the race condition, but no known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions around 6.9.0 and possibly others using similar UDP socket handling code. This issue is technical and subtle, involving kernel concurrency and memory management in the networking stack.
Potential Impact
For European organizations, the impact of CVE-2024-41041 could be significant given the widespread use of Linux servers and infrastructure in critical sectors such as finance, telecommunications, government, and cloud services. Exploitation of this vulnerability could lead to denial of service via kernel crashes or potentially enable privilege escalation attacks if combined with other vulnerabilities, thereby compromising system integrity and availability. Since UDP is widely used for network services including DNS, VoIP, and streaming, the vulnerability could affect a broad range of applications and services. Organizations relying on Linux-based network appliances, firewalls, or container hosts could see disruptions or security breaches. The lack of known exploits reduces immediate risk, but the technical nature of the flaw means skilled attackers could develop exploits over time. Additionally, the vulnerability could be leveraged in targeted attacks against high-value infrastructure or critical national infrastructure within Europe, impacting confidentiality and operational continuity.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-41041. Specifically, ensure that kernel versions 6.9.0 and later incorporate the patch that sets SOCK_RCU_FREE earlier in udp_lib_get_port(). For environments where immediate patching is not feasible, organizations should implement network-level mitigations such as restricting UDP traffic to trusted sources and employing intrusion detection systems to monitor for anomalous UDP socket behavior. Additionally, kernel hardening techniques like enabling Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and using seccomp filters to limit exposure of UDP socket operations can reduce exploitation risk. Regularly auditing and monitoring kernel logs for warnings similar to those triggered by syzkaller can help detect attempts to exploit this race condition. For containerized environments, ensure that host kernels are patched and consider isolating UDP traffic within namespaces to limit attack surface. Finally, coordinate with Linux distribution vendors and maintain a robust patch management process to rapidly deploy kernel updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.623Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1718
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:55:16 AM
Last updated: 8/1/2025, 12:58:48 PM
Views: 14
Related Threats
CVE-2025-8098: CWE-276: Incorrect Default Permissions in Lenovo PC Manager
HighCVE-2025-53192: CWE-146 Improper Neutralization of Expression/Command Delimiters in Apache Software Foundation Apache Commons OGNL
UnknownCVE-2025-4371: CWE-347: Improper Verification of Cryptographic Signature in Lenovo 510 FHD Webcam
HighCVE-2025-32992: n/a
HighCVE-2025-55591: n/a
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.