CVE-2024-44946: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcm_sendmsg() for the same socket. syzkaller reported UAF in kcm_release(). [0] The scenario is 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. 2. Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory() 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue 4. Thread A faces an error and finally frees skb that is already in the write queue 5. kcm_release() does double-free the skb in the write queue When a thread is building a MSG_MORE skb, another thread must not touch it. Let's add a per-sk mutex and serialise kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor ---truncated---
AI Analysis
Technical Summary
CVE-2024-44946 is a use-after-free (UAF) vulnerability in the Linux kernel's KCM (Kernel Connection Multiplexor) socket implementation, specifically in the kcm_sendmsg() and kcm_release() functions. The vulnerability arises due to a race condition when multiple threads concurrently send messages over the same KCM socket. Thread A begins building a socket buffer (skb) with the MSG_MORE flag and sets kcm->seq_skb, but is blocked during memory wait. Meanwhile, Thread B concurrently calls sendmsg(), completes building the skb, and queues it for writing. Thread A then encounters an error and frees the skb that is already queued, leading to a double-free scenario in kcm_release(). This double-free can cause memory corruption, kernel crashes, or potentially arbitrary code execution in kernel space. The root cause is the lack of serialization in kcm_sendmsg() for the same socket, which was resolved by introducing a per-socket mutex to serialize access. The vulnerability was discovered and reported by syzkaller, a kernel fuzzing tool, and is confirmed by KASAN (Kernel Address Sanitizer) reports showing slab-use-after-free errors. The affected Linux kernel versions include recent development releases prior to the patch, and the issue is relevant to systems using the KCM socket feature, which is used for multiplexing connections at the kernel level to optimize network performance. No CVSS score has been assigned yet, but the vulnerability is serious due to its potential for kernel memory corruption and system instability.
Potential Impact
For European organizations, the impact of CVE-2024-44946 can be significant, especially for those running Linux-based infrastructure that utilizes KCM sockets, such as high-performance networking environments, cloud providers, and data centers. Exploitation could lead to kernel crashes (denial of service), compromising system availability, or potentially allow attackers to execute arbitrary code with kernel privileges, threatening confidentiality and integrity of sensitive data. This is particularly critical for sectors like finance, telecommunications, critical infrastructure, and government services that rely heavily on Linux servers. Given that Linux is widely deployed across Europe in enterprise, cloud, and embedded systems, the vulnerability could affect a broad range of systems if unpatched. However, exploitation requires concurrent access to the same socket and multi-threaded conditions, which may limit the attack surface somewhat. Still, the risk of privilege escalation or persistent kernel compromise makes this vulnerability a high concern for security teams.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that serialize kcm_sendmsg() calls by adding a per-socket mutex to prevent concurrent access and eliminate the race condition. 2. Kernel upgrade: Update Linux kernels to versions that include the fix for CVE-2024-44946 as soon as they become available from your Linux distribution vendor. 3. Audit usage: Identify and audit systems using KCM sockets, particularly in multi-threaded network applications, to prioritize patching and monitoring. 4. Restrict access: Limit untrusted user or process access to KCM sockets to reduce the risk of exploitation. 5. Monitor logs: Enable kernel debugging and monitor for unusual kernel crashes or KASAN reports that may indicate exploitation attempts. 6. Harden kernel: Employ kernel hardening features such as KASLR, SELinux/AppArmor policies, and seccomp filters to reduce impact if exploitation is attempted. 7. Test updates: Thoroughly test kernel updates in staging environments to ensure stability before production deployment, especially in critical infrastructure. 8. Incident response readiness: Prepare incident response plans for potential kernel-level compromises, including forensic capabilities and recovery procedures.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-44946: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcm_sendmsg() for the same socket. syzkaller reported UAF in kcm_release(). [0] The scenario is 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. 2. Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory() 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue 4. Thread A faces an error and finally frees skb that is already in the write queue 5. kcm_release() does double-free the skb in the write queue When a thread is building a MSG_MORE skb, another thread must not touch it. Let's add a per-sk mutex and serialise kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-44946 is a use-after-free (UAF) vulnerability in the Linux kernel's KCM (Kernel Connection Multiplexor) socket implementation, specifically in the kcm_sendmsg() and kcm_release() functions. The vulnerability arises due to a race condition when multiple threads concurrently send messages over the same KCM socket. Thread A begins building a socket buffer (skb) with the MSG_MORE flag and sets kcm->seq_skb, but is blocked during memory wait. Meanwhile, Thread B concurrently calls sendmsg(), completes building the skb, and queues it for writing. Thread A then encounters an error and frees the skb that is already queued, leading to a double-free scenario in kcm_release(). This double-free can cause memory corruption, kernel crashes, or potentially arbitrary code execution in kernel space. The root cause is the lack of serialization in kcm_sendmsg() for the same socket, which was resolved by introducing a per-socket mutex to serialize access. The vulnerability was discovered and reported by syzkaller, a kernel fuzzing tool, and is confirmed by KASAN (Kernel Address Sanitizer) reports showing slab-use-after-free errors. The affected Linux kernel versions include recent development releases prior to the patch, and the issue is relevant to systems using the KCM socket feature, which is used for multiplexing connections at the kernel level to optimize network performance. No CVSS score has been assigned yet, but the vulnerability is serious due to its potential for kernel memory corruption and system instability.
Potential Impact
For European organizations, the impact of CVE-2024-44946 can be significant, especially for those running Linux-based infrastructure that utilizes KCM sockets, such as high-performance networking environments, cloud providers, and data centers. Exploitation could lead to kernel crashes (denial of service), compromising system availability, or potentially allow attackers to execute arbitrary code with kernel privileges, threatening confidentiality and integrity of sensitive data. This is particularly critical for sectors like finance, telecommunications, critical infrastructure, and government services that rely heavily on Linux servers. Given that Linux is widely deployed across Europe in enterprise, cloud, and embedded systems, the vulnerability could affect a broad range of systems if unpatched. However, exploitation requires concurrent access to the same socket and multi-threaded conditions, which may limit the attack surface somewhat. Still, the risk of privilege escalation or persistent kernel compromise makes this vulnerability a high concern for security teams.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that serialize kcm_sendmsg() calls by adding a per-socket mutex to prevent concurrent access and eliminate the race condition. 2. Kernel upgrade: Update Linux kernels to versions that include the fix for CVE-2024-44946 as soon as they become available from your Linux distribution vendor. 3. Audit usage: Identify and audit systems using KCM sockets, particularly in multi-threaded network applications, to prioritize patching and monitoring. 4. Restrict access: Limit untrusted user or process access to KCM sockets to reduce the risk of exploitation. 5. Monitor logs: Enable kernel debugging and monitor for unusual kernel crashes or KASAN reports that may indicate exploitation attempts. 6. Harden kernel: Employ kernel hardening features such as KASLR, SELinux/AppArmor policies, and seccomp filters to reduce impact if exploitation is attempted. 7. Test updates: Thoroughly test kernel updates in staging environments to ensure stability before production deployment, especially in critical infrastructure. 8. Incident response readiness: Prepare incident response plans for potential kernel-level compromises, including forensic capabilities and recovery procedures.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.665Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0cfb
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:56:33 PM
Last updated: 7/25/2025, 4:32:01 PM
Views: 5
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.