CVE-2024-43887: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/tcp: Disable TCP-AO static key after RCU grace period The lifetime of TCP-AO static_key is the same as the last tcp_ao_info. On the socket destruction tcp_ao_info ceases to be with RCU grace period, while tcp-ao static branch is currently deferred destructed. The static key definition is : DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ); which means that if RCU grace period is delayed by more than a second and tcp_ao_needed is in the process of disablement, other CPUs may yet see tcp_ao_info which atent dead, but soon-to-be. And that breaks the assumption of static_key_fast_inc_not_disabled(). See the comment near the definition: > * The caller must make sure that the static key can't get disabled while > * in this function. It doesn't patch jump labels, only adds a user to > * an already enabled static key. Originally it was introduced in commit eb8c507296f6 ("jump_label: Prevent key->enabled int overflow"), which is needed for the atomic contexts, one of which would be the creation of a full socket from a request socket. In that atomic context, it's known by the presence of the key (md5/ao) that the static branch is already enabled. So, the ref counter for that static branch is just incremented instead of holding the proper mutex. static_key_fast_inc_not_disabled() is just a helper for such usage case. But it must not be used if the static branch could get disabled in parallel as it's not protected by jump_label_mutex and as a result, races with jump_label_update() implementation details. Happened on netdev test-bot[1], so not a theoretical issue: [] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1 [] ------------[ cut here ]------------ [] kernel BUG at arch/x86/kernel/jump_label.c:73! [] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1 [] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [] Workqueue: events jump_label_update_timeout [] RIP: 0010:__jump_label_patch+0x2f6/0x350 ... [] Call Trace: [] <TASK> [] arch_jump_label_transform_queue+0x6c/0x110 [] __jump_label_update+0xef/0x350 [] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60 [] jump_label_update_timeout+0x2c/0x40 [] process_one_work+0xe3b/0x1670 [] worker_thread+0x587/0xce0 [] kthread+0x28a/0x350 [] ret_from_fork+0x31/0x70 [] ret_from_fork_asm+0x1a/0x30 [] </TASK> [] Modules linked in: veth [] ---[ end trace 0000000000000000 ]--- [] RIP: 0010:__jump_label_patch+0x2f6/0x350 [1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
AI Analysis
Technical Summary
CVE-2024-43887 is a vulnerability identified in the Linux kernel's TCP Authentication Option (TCP-AO) implementation, specifically related to the handling of static keys used for TCP-AO. The issue arises from a race condition involving the lifecycle management of the static key tcp_ao_needed and the associated tcp_ao_info structure during socket destruction. The static key tcp_ao_needed is defined with deferred disabling semantics (DEFINE_STATIC_KEY_DEFERRED_FALSE), meaning it is disabled only after a Read-Copy-Update (RCU) grace period. However, if the RCU grace period is delayed beyond one second and tcp_ao_needed is in the process of being disabled, other CPUs may still access tcp_ao_info that is logically dead but not yet destroyed. This breaks the assumption made by the helper function static_key_fast_inc_not_disabled(), which expects the static key not to be disabled concurrently. The root cause is that static_key_fast_inc_not_disabled() increments the reference count without holding the jump_label_mutex, which protects against concurrent modifications of static keys. Consequently, a race condition occurs between the disabling of the static key and its reference count increment, leading to inconsistent jump label states. This inconsistency can cause fatal kernel bugs such as invalid opcode exceptions and kernel oopses, as demonstrated by the netdev test-bot reproducing a crash in the jump_label_patch function. The vulnerability was introduced in a prior commit aimed at preventing integer overflow in jump label keys and affects atomic contexts where the static key presence indicates an enabled static branch. The issue is not theoretical; it has been observed in automated kernel testing environments, indicating a real risk of kernel crashes due to this race condition. No CVSS score is assigned yet, and no known exploits in the wild have been reported. The vulnerability affects Linux kernel versions identified by the commit hashes provided, and a patch is implied but not linked in the data.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running affected Linux kernel versions, especially those utilizing TCP-AO for enhanced TCP security. The vulnerability can lead to kernel crashes (kernel oops) and system instability, resulting in denial of service (DoS) conditions. This is particularly critical for infrastructure relying on Linux servers for networking, cloud services, and critical applications, as unexpected kernel panics can disrupt business operations, degrade service availability, and potentially cause data loss if systems reboot unexpectedly. Since the flaw involves low-level kernel code and atomic contexts, it may affect high-performance networking environments and virtualized infrastructures common in European data centers. Although no active exploitation is reported, the presence of a reproducible crash in testing environments suggests that attackers with kernel-level access or the ability to trigger specific socket operations could exploit this to cause DoS. The impact on confidentiality and integrity is limited unless combined with other vulnerabilities, but availability impact is high. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure in Europe, which heavily depend on Linux-based systems, could face operational disruptions if unpatched.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue relates to kernel static key lifecycle management, applying the official kernel patches from trusted Linux distributions or upstream Linux kernel releases is essential. Organizations should: 1) Identify all systems running affected Linux kernel versions, especially those using TCP-AO or related TCP security features. 2) Schedule and deploy kernel updates promptly, ensuring minimal downtime through maintenance windows or rolling updates. 3) For environments where immediate patching is not feasible, consider disabling TCP-AO if it is not critical, as a temporary mitigation to avoid triggering the vulnerable code paths. 4) Monitor kernel logs and system stability closely for signs of jump label related crashes or kernel oops events. 5) Employ kernel live patching technologies where supported to reduce exposure time without full reboots. 6) Review and enhance system hardening and access controls to limit kernel-level access, reducing the risk of exploitation. 7) Engage with Linux vendor support channels for guidance on patch availability and backporting if using long-term support kernels. These steps go beyond generic advice by focusing on TCP-AO usage, kernel version auditing, and operational controls specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-43887: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/tcp: Disable TCP-AO static key after RCU grace period The lifetime of TCP-AO static_key is the same as the last tcp_ao_info. On the socket destruction tcp_ao_info ceases to be with RCU grace period, while tcp-ao static branch is currently deferred destructed. The static key definition is : DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ); which means that if RCU grace period is delayed by more than a second and tcp_ao_needed is in the process of disablement, other CPUs may yet see tcp_ao_info which atent dead, but soon-to-be. And that breaks the assumption of static_key_fast_inc_not_disabled(). See the comment near the definition: > * The caller must make sure that the static key can't get disabled while > * in this function. It doesn't patch jump labels, only adds a user to > * an already enabled static key. Originally it was introduced in commit eb8c507296f6 ("jump_label: Prevent key->enabled int overflow"), which is needed for the atomic contexts, one of which would be the creation of a full socket from a request socket. In that atomic context, it's known by the presence of the key (md5/ao) that the static branch is already enabled. So, the ref counter for that static branch is just incremented instead of holding the proper mutex. static_key_fast_inc_not_disabled() is just a helper for such usage case. But it must not be used if the static branch could get disabled in parallel as it's not protected by jump_label_mutex and as a result, races with jump_label_update() implementation details. Happened on netdev test-bot[1], so not a theoretical issue: [] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1 [] ------------[ cut here ]------------ [] kernel BUG at arch/x86/kernel/jump_label.c:73! [] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1 [] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [] Workqueue: events jump_label_update_timeout [] RIP: 0010:__jump_label_patch+0x2f6/0x350 ... [] Call Trace: [] <TASK> [] arch_jump_label_transform_queue+0x6c/0x110 [] __jump_label_update+0xef/0x350 [] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60 [] jump_label_update_timeout+0x2c/0x40 [] process_one_work+0xe3b/0x1670 [] worker_thread+0x587/0xce0 [] kthread+0x28a/0x350 [] ret_from_fork+0x31/0x70 [] ret_from_fork_asm+0x1a/0x30 [] </TASK> [] Modules linked in: veth [] ---[ end trace 0000000000000000 ]--- [] RIP: 0010:__jump_label_patch+0x2f6/0x350 [1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
AI-Powered Analysis
Technical Analysis
CVE-2024-43887 is a vulnerability identified in the Linux kernel's TCP Authentication Option (TCP-AO) implementation, specifically related to the handling of static keys used for TCP-AO. The issue arises from a race condition involving the lifecycle management of the static key tcp_ao_needed and the associated tcp_ao_info structure during socket destruction. The static key tcp_ao_needed is defined with deferred disabling semantics (DEFINE_STATIC_KEY_DEFERRED_FALSE), meaning it is disabled only after a Read-Copy-Update (RCU) grace period. However, if the RCU grace period is delayed beyond one second and tcp_ao_needed is in the process of being disabled, other CPUs may still access tcp_ao_info that is logically dead but not yet destroyed. This breaks the assumption made by the helper function static_key_fast_inc_not_disabled(), which expects the static key not to be disabled concurrently. The root cause is that static_key_fast_inc_not_disabled() increments the reference count without holding the jump_label_mutex, which protects against concurrent modifications of static keys. Consequently, a race condition occurs between the disabling of the static key and its reference count increment, leading to inconsistent jump label states. This inconsistency can cause fatal kernel bugs such as invalid opcode exceptions and kernel oopses, as demonstrated by the netdev test-bot reproducing a crash in the jump_label_patch function. The vulnerability was introduced in a prior commit aimed at preventing integer overflow in jump label keys and affects atomic contexts where the static key presence indicates an enabled static branch. The issue is not theoretical; it has been observed in automated kernel testing environments, indicating a real risk of kernel crashes due to this race condition. No CVSS score is assigned yet, and no known exploits in the wild have been reported. The vulnerability affects Linux kernel versions identified by the commit hashes provided, and a patch is implied but not linked in the data.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running affected Linux kernel versions, especially those utilizing TCP-AO for enhanced TCP security. The vulnerability can lead to kernel crashes (kernel oops) and system instability, resulting in denial of service (DoS) conditions. This is particularly critical for infrastructure relying on Linux servers for networking, cloud services, and critical applications, as unexpected kernel panics can disrupt business operations, degrade service availability, and potentially cause data loss if systems reboot unexpectedly. Since the flaw involves low-level kernel code and atomic contexts, it may affect high-performance networking environments and virtualized infrastructures common in European data centers. Although no active exploitation is reported, the presence of a reproducible crash in testing environments suggests that attackers with kernel-level access or the ability to trigger specific socket operations could exploit this to cause DoS. The impact on confidentiality and integrity is limited unless combined with other vulnerabilities, but availability impact is high. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure in Europe, which heavily depend on Linux-based systems, could face operational disruptions if unpatched.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue relates to kernel static key lifecycle management, applying the official kernel patches from trusted Linux distributions or upstream Linux kernel releases is essential. Organizations should: 1) Identify all systems running affected Linux kernel versions, especially those using TCP-AO or related TCP security features. 2) Schedule and deploy kernel updates promptly, ensuring minimal downtime through maintenance windows or rolling updates. 3) For environments where immediate patching is not feasible, consider disabling TCP-AO if it is not critical, as a temporary mitigation to avoid triggering the vulnerable code paths. 4) Monitor kernel logs and system stability closely for signs of jump label related crashes or kernel oops events. 5) Employ kernel live patching technologies where supported to reduce exposure time without full reboots. 6) Review and enhance system hardening and access controls to limit kernel-level access, reducing the risk of exploitation. 7) Engage with Linux vendor support channels for guidance on patch availability and backporting if using long-term support kernels. These steps go beyond generic advice by focusing on TCP-AO usage, kernel version auditing, and operational controls specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.288Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0bc1
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:25:54 PM
Last updated: 7/30/2025, 8:13:47 PM
Views: 15
Related Threats
CVE-2025-49895: CWE-352 Cross-Site Request Forgery (CSRF) in iThemes ServerBuddy by PluginBuddy.com
HighCVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.