CVE-2024-43853: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated &cgroup_root.cgrp. When the umount operation is executed, top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. The problem is that when rebinding to cgrp_dfl_root, there are cases where the cgroup_root allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
AI Analysis
Technical Summary
CVE-2024-43853 is a Use-After-Free (UAF) vulnerability in the Linux kernel's cgroup cpuset subsystem. The vulnerability arises when reading the /proc/<pid>/cpuset file, which exposes the cpuset control group information for a process. The root cause is a race condition between mounting and unmounting the cpuset cgroup filesystem and concurrent reads of the cpuset proc file. Specifically, when the cpuset filesystem is unmounted, the cgroup_root structure is freed, but references to it may still be cached and accessed during subsequent reads, leading to a UAF scenario. The issue stems from the fact that the root cgroup's css (cgroup subsystem state) is never released, but the associated cgroup_root can be freed on unmount, causing stale pointers. The race can be triggered by repeatedly mounting and unmounting the cpuset cgroup filesystem while simultaneously reading /proc/<pid>/cpuset. The vulnerability was demonstrated by adding artificial delays (mdelay) to increase the race window. The fix involves using RCU (Read-Copy-Update) locking mechanisms (rcu_read_lock) in proc_cpuset_show() to ensure that the cgroup_root structure is not freed during the critical section. Additionally, the code replaces task_get_css with task_css to safely acquire the css reference under the new locking scheme. This vulnerability affects Linux kernel versions containing the specified commit hashes and is related to cgroup v1 cpuset management. No known exploits are reported in the wild yet. The vulnerability could potentially allow local attackers to cause kernel memory corruption, leading to system instability, crashes (denial of service), or possibly privilege escalation if exploited further.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and infrastructure running vulnerable Linux kernel versions with cgroup v1 cpuset enabled. Many enterprise Linux distributions and cloud providers still support or use cgroup v1 for resource management, especially in containerized environments. Exploitation could allow local users or processes to trigger kernel memory corruption, potentially leading to denial of service or privilege escalation. This could disrupt critical services, impact availability, and compromise system integrity. Organizations relying on Linux-based servers for web hosting, cloud services, or internal infrastructure could face operational disruptions. Additionally, environments using container orchestration platforms that depend on cgroup v1 cpuset might be indirectly affected. The vulnerability requires local access and some user interaction (repeated mounts/unmounts and reads), limiting remote exploitation but still posing a threat in multi-tenant or shared environments. The lack of known exploits reduces immediate risk but patching is essential to prevent future attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-43853 as soon as they become available from your Linux distribution vendor. 2. If patching is delayed, consider disabling or restricting the use of cgroup v1 cpuset controllers, or migrate workloads to cgroup v2 where feasible, as the vulnerability is specific to cgroup v1 cpuset. 3. Limit local user permissions to prevent unprivileged users from mounting/unmounting cgroup filesystems or reading /proc/<pid>/cpuset for other users' processes. 4. Implement strict access controls and monitoring on systems that allow multi-user access or run containerized workloads to detect suspicious repeated mount/unmount or proc file read operations. 5. Employ kernel hardening features such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation success. 6. Regularly audit and update Linux kernels to the latest stable versions to incorporate security fixes promptly. 7. For container environments, ensure orchestration platforms and container runtimes are updated and configured to use cgroup v2 where possible, reducing exposure to cgroup v1 vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland
CVE-2024-43853: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: Prevent UAF in proc_cpuset_show() An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated &cgroup_root.cgrp. When the umount operation is executed, top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. The problem is that when rebinding to cgrp_dfl_root, there are cases where the cgroup_root allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
AI-Powered Analysis
Technical Analysis
CVE-2024-43853 is a Use-After-Free (UAF) vulnerability in the Linux kernel's cgroup cpuset subsystem. The vulnerability arises when reading the /proc/<pid>/cpuset file, which exposes the cpuset control group information for a process. The root cause is a race condition between mounting and unmounting the cpuset cgroup filesystem and concurrent reads of the cpuset proc file. Specifically, when the cpuset filesystem is unmounted, the cgroup_root structure is freed, but references to it may still be cached and accessed during subsequent reads, leading to a UAF scenario. The issue stems from the fact that the root cgroup's css (cgroup subsystem state) is never released, but the associated cgroup_root can be freed on unmount, causing stale pointers. The race can be triggered by repeatedly mounting and unmounting the cpuset cgroup filesystem while simultaneously reading /proc/<pid>/cpuset. The vulnerability was demonstrated by adding artificial delays (mdelay) to increase the race window. The fix involves using RCU (Read-Copy-Update) locking mechanisms (rcu_read_lock) in proc_cpuset_show() to ensure that the cgroup_root structure is not freed during the critical section. Additionally, the code replaces task_get_css with task_css to safely acquire the css reference under the new locking scheme. This vulnerability affects Linux kernel versions containing the specified commit hashes and is related to cgroup v1 cpuset management. No known exploits are reported in the wild yet. The vulnerability could potentially allow local attackers to cause kernel memory corruption, leading to system instability, crashes (denial of service), or possibly privilege escalation if exploited further.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and infrastructure running vulnerable Linux kernel versions with cgroup v1 cpuset enabled. Many enterprise Linux distributions and cloud providers still support or use cgroup v1 for resource management, especially in containerized environments. Exploitation could allow local users or processes to trigger kernel memory corruption, potentially leading to denial of service or privilege escalation. This could disrupt critical services, impact availability, and compromise system integrity. Organizations relying on Linux-based servers for web hosting, cloud services, or internal infrastructure could face operational disruptions. Additionally, environments using container orchestration platforms that depend on cgroup v1 cpuset might be indirectly affected. The vulnerability requires local access and some user interaction (repeated mounts/unmounts and reads), limiting remote exploitation but still posing a threat in multi-tenant or shared environments. The lack of known exploits reduces immediate risk but patching is essential to prevent future attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-43853 as soon as they become available from your Linux distribution vendor. 2. If patching is delayed, consider disabling or restricting the use of cgroup v1 cpuset controllers, or migrate workloads to cgroup v2 where feasible, as the vulnerability is specific to cgroup v1 cpuset. 3. Limit local user permissions to prevent unprivileged users from mounting/unmounting cgroup filesystems or reading /proc/<pid>/cpuset for other users' processes. 4. Implement strict access controls and monitoring on systems that allow multi-user access or run containerized workloads to detect suspicious repeated mount/unmount or proc file read operations. 5. Employ kernel hardening features such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation success. 6. Regularly audit and update Linux kernels to the latest stable versions to incorporate security fixes promptly. 7. For container environments, ensure orchestration platforms and container runtimes are updated and configured to use cgroup v2 where possible, reducing exposure to cgroup v1 vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.277Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe20b6
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:41:41 AM
Last updated: 8/12/2025, 10:38:28 AM
Views: 13
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumResearcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.