CVE-2024-44974 is a recently disclosed vulnerability in the Linux kernel affecting the Multipath TCP (MPTCP) implementation, specifically within the path manager (pm) component. The flaw arises from a Use-After-Free (UaF) condition in the functions select_local_address() and select_signal_address(). Both functions select an endpoint entry from a list protected by Read-Copy-Update (RCU) synchronization mechanisms. However, they return a reference to the selected endpoint that is accessed later outside the RCU-protected section. This delayed dereferencing can lead to accessing freed memory, causing undefined behavior or potential kernel crashes. The root cause is that the endpoint entry may be freed after the RCU lock is released but before the reference is used. The patch involves copying the necessary endpoint information while still inside the RCU-protected section to avoid referencing freed memory later. This fix also accommodates special cases such as the ID0 address scenario by modifying the copied data as needed. Since this vulnerability is in the Linux kernel’s MPTCP path manager, it affects all Linux distributions and devices running vulnerable kernel versions that include this MPTCP implementation. The vulnerability was reserved on August 21, 2024, and published on September 4, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The vulnerability could potentially be triggered by crafted network traffic that causes the kernel to select and dereference freed endpoint entries, leading to kernel instability or denial of service.

For European organizations, the impact of CVE-2024-44974 could be significant depending on their reliance on Linux systems with MPTCP enabled. MPTCP is used to improve network resilience and throughput by allowing multiple TCP paths simultaneously. Organizations using Linux servers, network appliances, or embedded devices with vulnerable kernels could experience kernel crashes or denial of service if an attacker exploits this Use-After-Free flaw. This could disrupt critical services, especially in sectors like telecommunications, finance, healthcare, and government where Linux is widely deployed. Although no remote code execution is currently indicated, kernel crashes can cause service outages and potential data loss. The lack of known exploits reduces immediate risk, but the vulnerability’s presence in the kernel means that attackers with network access could attempt to trigger the flaw remotely. European organizations with exposed network services or internal systems using vulnerable Linux kernels should consider this a moderate to high risk. The vulnerability could also be leveraged as part of a multi-stage attack to degrade system availability or facilitate further exploitation.

1. Apply kernel updates promptly: European organizations should monitor Linux distribution advisories and apply patches that fix CVE-2024-44974 as soon as they become available. 2. Disable MPTCP if not required: Since the vulnerability is specific to the MPTCP path manager, disabling MPTCP functionality on Linux systems where it is not needed can mitigate the risk. 3. Network segmentation and filtering: Limit exposure of vulnerable Linux systems by restricting network access to trusted sources only, using firewalls and network segmentation to reduce attack surface. 4. Monitor for unusual kernel crashes: Implement monitoring and alerting for kernel panics or crashes that could indicate exploitation attempts. 5. Use kernel hardening and exploit mitigation features: Enable kernel security features such as KASLR, SMEP, and SMAP to reduce the likelihood of successful exploitation. 6. Conduct vulnerability scanning and inventory: Identify all Linux systems running vulnerable kernel versions and prioritize patching based on criticality and exposure. 7. Engage with Linux vendors and community: Stay informed through vendor security advisories and Linux kernel mailing lists for updates and backported patches.