CVE-2024-41045: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer work in bpf_timer_cancel_and_free Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpf_map_update_elem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimer_cancel as well, it is prone to the same deadlock situation as the previous patch. It would be sufficient to use hrtimer_try_to_cancel to fix this problem, as the timer cannot be enqueued after async_cancel_and_free. Once async_cancel_and_free has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again. However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued. Hence, it is clear cancellation needs to occur after async_cancel_and_free, and yet it cannot be done inline due to deadlock issues. We thus modify bpf_timer_cancel_and_free to defer work to the global workqueue, adding a work_struct alongside rcu_head (both used at _different_ points of time, so can share space). Update existing code comments to reflect the new state of affairs.
AI Analysis
Technical Summary
CVE-2024-41045 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the handling of timers within BPF maps. The issue arises from a race condition and potential deadlock scenario involving the cancellation and freeing of high-resolution timers (hrtimers) used in BPF map elements. The vulnerability is rooted in the function bpf_timer_cancel_and_free, where two timer callbacks can attempt to cancel each other simultaneously, leading to a deadlock. This problem is exacerbated when freeing map elements that contain timers, as the cancellation relies on hrtimer_cancel, which is prone to deadlocks in this context. The fix involves deferring the cancellation work to the global workqueue rather than performing it inline, thereby avoiding deadlocks. Additionally, the patch uses hrtimer_try_to_cancel to safely attempt timer cancellation, ensuring that timers are not re-armed after being freed. A use-after-free (UAF) condition is also described, where a timer callback arms a timer before cancellation, and if the timer expiration is delayed, the RCU (Read-Copy-Update) grace period may expire first, freeing the timer structure prematurely and potentially leading to memory corruption or kernel instability. The vulnerability affects specific Linux kernel versions identified by commit hashes, and no known exploits are currently reported in the wild. The issue is technical and subtle, involving kernel synchronization primitives, timer lifecycle management, and concurrency control within the BPF subsystem.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with eBPF enabled and actively using BPF maps with timers. Potential impacts include kernel crashes, system instability, or denial of service due to deadlocks or use-after-free conditions. In environments where Linux servers underpin critical infrastructure, cloud services, or network appliances, exploitation could disrupt operations or degrade service availability. Although no known exploits exist yet, the complexity of the vulnerability and its presence in the kernel's networking and filtering components could attract attackers aiming to cause denial of service or potentially escalate privileges if combined with other vulnerabilities. European enterprises relying heavily on Linux-based infrastructure, including telecommunications, cloud providers, and industrial control systems, may face operational risks if unpatched. The vulnerability does not directly expose confidentiality or integrity risks but can impact availability and system reliability.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, ensuring that the fix deferring timer cancellation to the global workqueue is applied. In the interim, organizations can mitigate risk by auditing and minimizing the use of eBPF programs that manipulate timers within BPF maps, especially in multi-threaded or high-concurrency environments. System administrators should monitor kernel logs for signs of deadlocks or timer-related errors and consider isolating critical workloads on patched or unaffected kernel versions. Employing kernel live patching solutions where feasible can reduce downtime during remediation. Additionally, organizations should review their kernel configuration to disable unnecessary BPF features if not required, reducing the attack surface. Regularly updating and testing kernel versions in staging environments before production deployment will help prevent unexpected disruptions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-41045: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer work in bpf_timer_cancel_and_free Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpf_map_update_elem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimer_cancel as well, it is prone to the same deadlock situation as the previous patch. It would be sufficient to use hrtimer_try_to_cancel to fix this problem, as the timer cannot be enqueued after async_cancel_and_free. Once async_cancel_and_free has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again. However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued. Hence, it is clear cancellation needs to occur after async_cancel_and_free, and yet it cannot be done inline due to deadlock issues. We thus modify bpf_timer_cancel_and_free to defer work to the global workqueue, adding a work_struct alongside rcu_head (both used at _different_ points of time, so can share space). Update existing code comments to reflect the new state of affairs.
AI-Powered Analysis
Technical Analysis
CVE-2024-41045 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the handling of timers within BPF maps. The issue arises from a race condition and potential deadlock scenario involving the cancellation and freeing of high-resolution timers (hrtimers) used in BPF map elements. The vulnerability is rooted in the function bpf_timer_cancel_and_free, where two timer callbacks can attempt to cancel each other simultaneously, leading to a deadlock. This problem is exacerbated when freeing map elements that contain timers, as the cancellation relies on hrtimer_cancel, which is prone to deadlocks in this context. The fix involves deferring the cancellation work to the global workqueue rather than performing it inline, thereby avoiding deadlocks. Additionally, the patch uses hrtimer_try_to_cancel to safely attempt timer cancellation, ensuring that timers are not re-armed after being freed. A use-after-free (UAF) condition is also described, where a timer callback arms a timer before cancellation, and if the timer expiration is delayed, the RCU (Read-Copy-Update) grace period may expire first, freeing the timer structure prematurely and potentially leading to memory corruption or kernel instability. The vulnerability affects specific Linux kernel versions identified by commit hashes, and no known exploits are currently reported in the wild. The issue is technical and subtle, involving kernel synchronization primitives, timer lifecycle management, and concurrency control within the BPF subsystem.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with eBPF enabled and actively using BPF maps with timers. Potential impacts include kernel crashes, system instability, or denial of service due to deadlocks or use-after-free conditions. In environments where Linux servers underpin critical infrastructure, cloud services, or network appliances, exploitation could disrupt operations or degrade service availability. Although no known exploits exist yet, the complexity of the vulnerability and its presence in the kernel's networking and filtering components could attract attackers aiming to cause denial of service or potentially escalate privileges if combined with other vulnerabilities. European enterprises relying heavily on Linux-based infrastructure, including telecommunications, cloud providers, and industrial control systems, may face operational risks if unpatched. The vulnerability does not directly expose confidentiality or integrity risks but can impact availability and system reliability.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, ensuring that the fix deferring timer cancellation to the global workqueue is applied. In the interim, organizations can mitigate risk by auditing and minimizing the use of eBPF programs that manipulate timers within BPF maps, especially in multi-threaded or high-concurrency environments. System administrators should monitor kernel logs for signs of deadlocks or timer-related errors and consider isolating critical workloads on patched or unaffected kernel versions. Employing kernel live patching solutions where feasible can reduce downtime during remediation. Additionally, organizations should review their kernel configuration to disable unnecessary BPF features if not required, reducing the attack surface. Regularly updating and testing kernel versions in staging environments before production deployment will help prevent unexpected disruptions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.624Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1737
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:55:49 AM
Last updated: 7/31/2025, 2:56:59 AM
Views: 11
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.