CVE-2024-43870: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exit When a task is scheduled out, pending sigtrap deliveries are deferred to the target task upon resume to userspace via task_work. However failures while adding an event's callback to the task_work engine are ignored. And since the last call for events exit happen after task work is eventually closed, there is a small window during which pending sigtrap can be queued though ignored, leaking the event refcount addition such as in the following scenario: TASK A ----- do_exit() exit_task_work(tsk); <IRQ> perf_event_overflow() event->pending_sigtrap = pending_id; irq_work_queue(&event->pending_irq); </IRQ> =========> PREEMPTION: TASK A -> TASK B event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) // FAILS: task work has exited task_work_add(&event->pending_task) [...] <IRQ WORK> perf_pending_irq() // early return: event->oncpu = -1 </IRQ WORK> [...] =========> TASK B -> TASK A perf_event_exit_task(tsk) perf_event_exit_event() free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // leak event due to unexpected refcount == 2 As a result the event is never released while the task exits. Fix this with appropriate task_work_add()'s error handling.
AI Analysis
Technical Summary
CVE-2024-43870 is a vulnerability in the Linux kernel's perf subsystem, specifically related to event handling during task exit. The perf subsystem is used for performance monitoring and profiling in Linux. The vulnerability arises from improper handling of event callbacks in the task_work engine when a task is scheduled out and subsequently exits. When a task is scheduled out, pending SIGTRAP signal deliveries are deferred to the target task upon resuming to userspace via task_work. However, if adding an event's callback to the task_work engine fails, this failure is ignored. Since the final call for event exit occurs after task_work has been closed, there is a small window where pending SIGTRAP signals can be queued but ignored, causing a leak in the event's reference count. This leak means that the event is never properly released when the task exits, leading to resource leakage within the kernel. The technical scenario involves preemption between tasks and interrupt requests (IRQs) that cause the event's reference count to increase unexpectedly, preventing the event from being freed. The fix involves adding proper error handling for task_work_add() calls to ensure that failures are not ignored and resources are correctly released. This vulnerability affects multiple versions of the Linux kernel as indicated by the affected commit hashes, and it was published on August 21, 2024. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability could lead to resource leaks in Linux systems running vulnerable kernel versions, potentially degrading system performance or causing denial of service (DoS) conditions over time. Since the perf subsystem is widely used for performance monitoring and debugging, especially in enterprise and cloud environments, the leak could affect servers, workstations, and embedded devices running Linux. Resource leakage in kernel space can accumulate, leading to system instability or crashes, which could disrupt critical business operations. Although this vulnerability does not directly allow privilege escalation or remote code execution, the resulting instability could be exploited as part of a larger attack chain or cause operational disruptions. Organizations relying on Linux-based infrastructure for critical services, including cloud providers, telecommunications, and industrial control systems, may face increased risk of downtime or degraded performance if the vulnerability is not addressed promptly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-43870 as soon as it becomes available. Until patches are applied, organizations should monitor system logs for unusual perf subsystem warnings or errors that might indicate resource leaks. Limiting the use of perf monitoring tools on production systems or isolating them in controlled environments can reduce exposure. Additionally, organizations should implement robust kernel-level monitoring to detect abnormal resource consumption patterns that could signal exploitation or impact from this vulnerability. For environments where kernel updates are delayed due to operational constraints, consider applying kernel live patching solutions if supported. Finally, ensure that system administrators and security teams are aware of this vulnerability and incorporate it into vulnerability management and patching workflows.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-43870: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exit When a task is scheduled out, pending sigtrap deliveries are deferred to the target task upon resume to userspace via task_work. However failures while adding an event's callback to the task_work engine are ignored. And since the last call for events exit happen after task work is eventually closed, there is a small window during which pending sigtrap can be queued though ignored, leaking the event refcount addition such as in the following scenario: TASK A ----- do_exit() exit_task_work(tsk); <IRQ> perf_event_overflow() event->pending_sigtrap = pending_id; irq_work_queue(&event->pending_irq); </IRQ> =========> PREEMPTION: TASK A -> TASK B event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) // FAILS: task work has exited task_work_add(&event->pending_task) [...] <IRQ WORK> perf_pending_irq() // early return: event->oncpu = -1 </IRQ WORK> [...] =========> TASK B -> TASK A perf_event_exit_task(tsk) perf_event_exit_event() free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // leak event due to unexpected refcount == 2 As a result the event is never released while the task exits. Fix this with appropriate task_work_add()'s error handling.
AI-Powered Analysis
Technical Analysis
CVE-2024-43870 is a vulnerability in the Linux kernel's perf subsystem, specifically related to event handling during task exit. The perf subsystem is used for performance monitoring and profiling in Linux. The vulnerability arises from improper handling of event callbacks in the task_work engine when a task is scheduled out and subsequently exits. When a task is scheduled out, pending SIGTRAP signal deliveries are deferred to the target task upon resuming to userspace via task_work. However, if adding an event's callback to the task_work engine fails, this failure is ignored. Since the final call for event exit occurs after task_work has been closed, there is a small window where pending SIGTRAP signals can be queued but ignored, causing a leak in the event's reference count. This leak means that the event is never properly released when the task exits, leading to resource leakage within the kernel. The technical scenario involves preemption between tasks and interrupt requests (IRQs) that cause the event's reference count to increase unexpectedly, preventing the event from being freed. The fix involves adding proper error handling for task_work_add() calls to ensure that failures are not ignored and resources are correctly released. This vulnerability affects multiple versions of the Linux kernel as indicated by the affected commit hashes, and it was published on August 21, 2024. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability could lead to resource leaks in Linux systems running vulnerable kernel versions, potentially degrading system performance or causing denial of service (DoS) conditions over time. Since the perf subsystem is widely used for performance monitoring and debugging, especially in enterprise and cloud environments, the leak could affect servers, workstations, and embedded devices running Linux. Resource leakage in kernel space can accumulate, leading to system instability or crashes, which could disrupt critical business operations. Although this vulnerability does not directly allow privilege escalation or remote code execution, the resulting instability could be exploited as part of a larger attack chain or cause operational disruptions. Organizations relying on Linux-based infrastructure for critical services, including cloud providers, telecommunications, and industrial control systems, may face increased risk of downtime or degraded performance if the vulnerability is not addressed promptly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-43870 as soon as it becomes available. Until patches are applied, organizations should monitor system logs for unusual perf subsystem warnings or errors that might indicate resource leaks. Limiting the use of perf monitoring tools on production systems or isolating them in controlled environments can reduce exposure. Additionally, organizations should implement robust kernel-level monitoring to detect abnormal resource consumption patterns that could signal exploitation or impact from this vulnerability. For environments where kernel updates are delayed due to operational constraints, consider applying kernel live patching solutions if supported. Finally, ensure that system administrators and security teams are aware of this vulnerability and incorporate it into vulnerability management and patching workflows.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.280Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdcd70
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 9:09:32 PM
Last updated: 8/18/2025, 11:25:20 PM
Views: 14
Related Threats
CVE-2025-9144: Cross Site Scripting in Scada-LTS
MediumCVE-2025-9143: Cross Site Scripting in Scada-LTS
MediumCVE-2025-50897: n/a
HighCVE-2025-51510: n/a
HighCVE-2025-51489: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.