CVE-2024-43837: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT When loading a EXT program without specifying `attr->attach_prog_fd`, the `prog->aux->dst_prog` will be null. At this time, calling resolve_prog_type() anywhere will result in a null pointer dereference. Example stack trace: [ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 8.108262] Mem abort info: [ 8.108384] ESR = 0x0000000096000004 [ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits [ 8.108722] SET = 0, FnV = 0 [ 8.108827] EA = 0, S1PTW = 0 [ 8.108939] FSC = 0x04: level 0 translation fault [ 8.109102] Data abort info: [ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000 [ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000 [ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 8.112783] Modules linked in: [ 8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1 [ 8.113230] Hardware name: linux,dummy-virt (DT) [ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.113429] pc : may_access_direct_pkt_data+0x24/0xa0 [ 8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8 [ 8.113798] sp : ffff80008283b9f0 [ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001 [ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000 [ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000 [ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff [ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 [ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4 [ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f [ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c [ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000 [ 8.114126] Call trace: [ 8.114159] may_access_direct_pkt_data+0x24/0xa0 [ 8.114202] bpf_check+0x3bc/0x28c0 [ 8.114214] bpf_prog_load+0x658/0xa58 [ 8.114227] __sys_bpf+0xc50/0x2250 [ 8.114240] __arm64_sys_bpf+0x28/0x40 [ 8.114254] invoke_syscall.constprop.0+0x54/0xf0 [ 8.114273] do_el0_svc+0x4c/0xd8 [ 8.114289] el0_svc+0x3c/0x140 [ 8.114305] el0t_64_sync_handler+0x134/0x150 [ 8.114331] el0t_64_sync+0x168/0x170 [ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403) [ 8.118672] ---[ end trace 0000000000000000 ]--- One way to fix it is by forcing `attach_prog_fd` non-empty when bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type` API broken which use verifier log to probe prog type and will log nothing if we reject invalid EXT prog before bpf_check(). Another way is by adding null check in resolve_prog_type(). The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows the logic below: prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; It implies that when EXT program is not yet attached to `dst_prog`, the prog type should be EXT itself. This code worked fine in the past. So just keep using it. Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog` is not present in resolve_prog_type().
AI Analysis
Technical Summary
CVE-2024-43837 is a vulnerability in the Linux kernel affecting the Berkeley Packet Filter (BPF) subsystem, specifically related to the handling of BPF_PROG_TYPE_EXT programs. The issue arises when an EXT program is loaded without specifying the attach_prog_fd attribute. In this scenario, the program's auxiliary destination program pointer (prog->aux->dst_prog) is null. The resolve_prog_type() function, which is responsible for determining the program type, does not check for this null pointer before dereferencing it, leading to a null pointer dereference and consequent kernel crash (kernel oops). This vulnerability was introduced by a recent commit (4a9c7bbe2ed4) that modified type resolution logic for BPF_PROG_TYPE_EXT programs to better handle tracing programs. The previous logic safely returned the program's own type if the destination program was not set, but the new logic assumes the destination program pointer is always valid. The null pointer dereference manifests as a kernel panic with a detailed stack trace, indicating a memory abort due to invalid access. The vulnerability can cause denial of service by crashing the kernel when a specially crafted BPF EXT program is loaded without the attach_prog_fd attribute. Fixes involve either enforcing that attach_prog_fd is always specified or adding a null check in resolve_prog_type() to return the program's own type if the destination program pointer is null, restoring the previous safe behavior. This vulnerability affects Linux kernel versions containing the problematic commit and is relevant for systems using BPF EXT programs, which are increasingly used for advanced networking, tracing, and security monitoring tasks. No known exploits are currently reported in the wild, but the vulnerability could be triggered by local users or processes with the ability to load BPF programs, potentially leading to kernel crashes and denial of service.
Potential Impact
For European organizations, the impact of CVE-2024-43837 primarily involves potential denial of service conditions on Linux systems that utilize BPF EXT programs. Many enterprise and cloud environments in Europe rely heavily on Linux for servers, networking equipment, and container orchestration platforms such as Kubernetes, which use BPF for observability and security. A successful exploitation could cause kernel crashes, leading to system downtime, disruption of critical services, and potential loss of availability. This is particularly concerning for sectors with high availability requirements such as finance, telecommunications, healthcare, and public infrastructure. While the vulnerability does not directly lead to privilege escalation or data leakage, repeated crashes or denial of service could be leveraged by attackers to disrupt operations or as part of multi-stage attacks. Additionally, organizations using custom or third-party BPF programs may be at higher risk if those programs do not specify attach_prog_fd correctly. The lack of known exploits suggests the threat is currently low but the complexity of BPF and its growing use means that awareness and patching are critical to prevent future exploitation. The impact is compounded in environments with automated BPF program loading or where untrusted users have the capability to load BPF programs, such as multi-tenant cloud platforms or developer workstations.
Mitigation Recommendations
To mitigate CVE-2024-43837, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, specifically those that add null pointer checks in resolve_prog_type() or enforce attach_prog_fd presence. 2) Audit and review all BPF EXT programs in use to ensure they specify attach_prog_fd correctly and follow best practices for safe program loading. 3) Restrict the ability to load BPF programs to trusted users and processes only, using Linux capabilities (e.g., CAP_BPF) and security modules (SELinux, AppArmor) to limit access. 4) Monitor kernel logs for signs of null pointer dereferences or oops messages related to BPF program loading as early indicators of attempted exploitation or misconfiguration. 5) In containerized or cloud environments, ensure that container runtimes and orchestration platforms are updated to versions that handle BPF program loading safely and do not expose untrusted users to BPF loading capabilities. 6) Implement robust incident response procedures to quickly recover from kernel crashes and minimize downtime. 7) Engage with Linux distribution vendors and maintain awareness of updates related to BPF vulnerabilities to ensure timely patching. These steps go beyond generic advice by focusing on BPF program correctness, access control, and proactive monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-43837: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT When loading a EXT program without specifying `attr->attach_prog_fd`, the `prog->aux->dst_prog` will be null. At this time, calling resolve_prog_type() anywhere will result in a null pointer dereference. Example stack trace: [ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 8.108262] Mem abort info: [ 8.108384] ESR = 0x0000000096000004 [ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits [ 8.108722] SET = 0, FnV = 0 [ 8.108827] EA = 0, S1PTW = 0 [ 8.108939] FSC = 0x04: level 0 translation fault [ 8.109102] Data abort info: [ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000 [ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000 [ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 8.112783] Modules linked in: [ 8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1 [ 8.113230] Hardware name: linux,dummy-virt (DT) [ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.113429] pc : may_access_direct_pkt_data+0x24/0xa0 [ 8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8 [ 8.113798] sp : ffff80008283b9f0 [ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001 [ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000 [ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000 [ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff [ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 [ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4 [ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f [ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c [ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000 [ 8.114126] Call trace: [ 8.114159] may_access_direct_pkt_data+0x24/0xa0 [ 8.114202] bpf_check+0x3bc/0x28c0 [ 8.114214] bpf_prog_load+0x658/0xa58 [ 8.114227] __sys_bpf+0xc50/0x2250 [ 8.114240] __arm64_sys_bpf+0x28/0x40 [ 8.114254] invoke_syscall.constprop.0+0x54/0xf0 [ 8.114273] do_el0_svc+0x4c/0xd8 [ 8.114289] el0_svc+0x3c/0x140 [ 8.114305] el0t_64_sync_handler+0x134/0x150 [ 8.114331] el0t_64_sync+0x168/0x170 [ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403) [ 8.118672] ---[ end trace 0000000000000000 ]--- One way to fix it is by forcing `attach_prog_fd` non-empty when bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type` API broken which use verifier log to probe prog type and will log nothing if we reject invalid EXT prog before bpf_check(). Another way is by adding null check in resolve_prog_type(). The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows the logic below: prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; It implies that when EXT program is not yet attached to `dst_prog`, the prog type should be EXT itself. This code worked fine in the past. So just keep using it. Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog` is not present in resolve_prog_type().
AI-Powered Analysis
Technical Analysis
CVE-2024-43837 is a vulnerability in the Linux kernel affecting the Berkeley Packet Filter (BPF) subsystem, specifically related to the handling of BPF_PROG_TYPE_EXT programs. The issue arises when an EXT program is loaded without specifying the attach_prog_fd attribute. In this scenario, the program's auxiliary destination program pointer (prog->aux->dst_prog) is null. The resolve_prog_type() function, which is responsible for determining the program type, does not check for this null pointer before dereferencing it, leading to a null pointer dereference and consequent kernel crash (kernel oops). This vulnerability was introduced by a recent commit (4a9c7bbe2ed4) that modified type resolution logic for BPF_PROG_TYPE_EXT programs to better handle tracing programs. The previous logic safely returned the program's own type if the destination program was not set, but the new logic assumes the destination program pointer is always valid. The null pointer dereference manifests as a kernel panic with a detailed stack trace, indicating a memory abort due to invalid access. The vulnerability can cause denial of service by crashing the kernel when a specially crafted BPF EXT program is loaded without the attach_prog_fd attribute. Fixes involve either enforcing that attach_prog_fd is always specified or adding a null check in resolve_prog_type() to return the program's own type if the destination program pointer is null, restoring the previous safe behavior. This vulnerability affects Linux kernel versions containing the problematic commit and is relevant for systems using BPF EXT programs, which are increasingly used for advanced networking, tracing, and security monitoring tasks. No known exploits are currently reported in the wild, but the vulnerability could be triggered by local users or processes with the ability to load BPF programs, potentially leading to kernel crashes and denial of service.
Potential Impact
For European organizations, the impact of CVE-2024-43837 primarily involves potential denial of service conditions on Linux systems that utilize BPF EXT programs. Many enterprise and cloud environments in Europe rely heavily on Linux for servers, networking equipment, and container orchestration platforms such as Kubernetes, which use BPF for observability and security. A successful exploitation could cause kernel crashes, leading to system downtime, disruption of critical services, and potential loss of availability. This is particularly concerning for sectors with high availability requirements such as finance, telecommunications, healthcare, and public infrastructure. While the vulnerability does not directly lead to privilege escalation or data leakage, repeated crashes or denial of service could be leveraged by attackers to disrupt operations or as part of multi-stage attacks. Additionally, organizations using custom or third-party BPF programs may be at higher risk if those programs do not specify attach_prog_fd correctly. The lack of known exploits suggests the threat is currently low but the complexity of BPF and its growing use means that awareness and patching are critical to prevent future exploitation. The impact is compounded in environments with automated BPF program loading or where untrusted users have the capability to load BPF programs, such as multi-tenant cloud platforms or developer workstations.
Mitigation Recommendations
To mitigate CVE-2024-43837, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, specifically those that add null pointer checks in resolve_prog_type() or enforce attach_prog_fd presence. 2) Audit and review all BPF EXT programs in use to ensure they specify attach_prog_fd correctly and follow best practices for safe program loading. 3) Restrict the ability to load BPF programs to trusted users and processes only, using Linux capabilities (e.g., CAP_BPF) and security modules (SELinux, AppArmor) to limit access. 4) Monitor kernel logs for signs of null pointer dereferences or oops messages related to BPF program loading as early indicators of attempted exploitation or misconfiguration. 5) In containerized or cloud environments, ensure that container runtimes and orchestration platforms are updated to versions that handle BPF program loading safely and do not expose untrusted users to BPF loading capabilities. 6) Implement robust incident response procedures to quickly recover from kernel crashes and minimize downtime. 7) Engage with Linux distribution vendors and maintain awareness of updates related to BPF vulnerabilities to ensure timely patching. These steps go beyond generic advice by focusing on BPF program correctness, access control, and proactive monitoring specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.274Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2006
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:27:37 AM
Last updated: 7/31/2025, 7:22:32 AM
Views: 8
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.