CVE-2024-44991: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from a task that failed to clone a new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1 -> 0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and I don't see a use-after-free) but as erroneous trigger of debug check. Add a mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns.
AI Analysis
Technical Summary
CVE-2024-44991 is a concurrency vulnerability in the Linux kernel's TCP networking stack, specifically involving the function tcp_sk_exit_batch(). This function is responsible for cleaning up TCP sockets in the TIME_WAIT state when a network namespace (netns) is being destroyed. The vulnerability arises because two threads can concurrently invoke tcp_sk_exit_batch(): one from the cleanup_net workqueue and another from a task that failed to clone a new network namespace. During error unwinding in the latter case, exit handlers are called in reverse order for the failed netns. The core issue is that tcp_sk_exit_batch() calls tcp_twsk_purge(), which, since a prior commit (b099ce2602d8), can pick up TIME_WAIT sockets (twsk) from any dying netns, not just those explicitly passed via the exit_batch list. This leads to a race condition where the error unwind path can "steal" and destroy TIME_WAIT sockets belonging to the exiting netns. Consequently, the netns exit worker calls a WARN_ON_ONCE() check on the reference count of the TCP death row's tw_refcount, expecting a decrement from 1 to 0. However, due to the race, this transition does not occur as expected, triggering kernel warnings and potential kernel panics (splat). Both concurrent paths running inet_twsk_purge() can cause refcount warnings and kernel crashes. Although no actual socket loss or use-after-free has been observed, the erroneous triggering of debug checks can cause system instability. The fix involves adding a mutex to enforce strict ordering, ensuring that one task blocks others from performing the final decrement and purge operations until all TIME_WAIT sockets of the dying netns are removed. This vulnerability affects Linux kernel versions identified by the commit e9bd0cca09d1 and related builds, and it was publicly disclosed on September 4, 2024. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability primarily threatens the stability and availability of Linux-based systems that utilize network namespaces extensively, such as containerized environments, cloud infrastructure, and multi-tenant servers. Network namespaces are widely used in modern Linux deployments to isolate network stacks for containers and virtualized workloads. A kernel panic or warning triggered by this race condition could lead to system crashes or forced reboots, causing downtime and disruption of critical services. This is particularly impactful for data centers, cloud service providers, and enterprises relying on Linux servers for networking, web hosting, or application delivery. While the vulnerability does not appear to cause direct data loss or unauthorized access, the denial of service through kernel instability can affect service continuity and operational reliability. Given the prevalence of Linux in European IT infrastructure, especially in sectors like finance, telecommunications, and public services, the risk of service interruptions is significant if unpatched systems encounter this race condition under workload stress or during network namespace operations.
Mitigation Recommendations
Organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2024-44991 as soon as it becomes available from their Linux distribution vendors. Since the vulnerability involves concurrency in kernel code, applying the official patch that introduces a mutex to serialize tcp_twsk_purge() calls is essential. For environments using container orchestration platforms (e.g., Kubernetes) or network namespace-heavy applications, administrators should monitor kernel logs for WARN_ON_ONCE or refcount warnings indicative of this issue. Additionally, limiting the creation and destruction of network namespaces during peak operational hours can reduce exposure until patches are applied. Employing kernel live patching solutions where supported can minimize downtime during remediation. It is also advisable to audit and test custom kernel modules or third-party networking tools that interact with netns or TCP stack to ensure compatibility with the patched kernel behavior. Finally, maintaining robust system monitoring and alerting for kernel panics or crashes will help detect exploitation or manifestation of this vulnerability promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2024-44991: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from a task that failed to clone a new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1 -> 0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and I don't see a use-after-free) but as erroneous trigger of debug check. Add a mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns.
AI-Powered Analysis
Technical Analysis
CVE-2024-44991 is a concurrency vulnerability in the Linux kernel's TCP networking stack, specifically involving the function tcp_sk_exit_batch(). This function is responsible for cleaning up TCP sockets in the TIME_WAIT state when a network namespace (netns) is being destroyed. The vulnerability arises because two threads can concurrently invoke tcp_sk_exit_batch(): one from the cleanup_net workqueue and another from a task that failed to clone a new network namespace. During error unwinding in the latter case, exit handlers are called in reverse order for the failed netns. The core issue is that tcp_sk_exit_batch() calls tcp_twsk_purge(), which, since a prior commit (b099ce2602d8), can pick up TIME_WAIT sockets (twsk) from any dying netns, not just those explicitly passed via the exit_batch list. This leads to a race condition where the error unwind path can "steal" and destroy TIME_WAIT sockets belonging to the exiting netns. Consequently, the netns exit worker calls a WARN_ON_ONCE() check on the reference count of the TCP death row's tw_refcount, expecting a decrement from 1 to 0. However, due to the race, this transition does not occur as expected, triggering kernel warnings and potential kernel panics (splat). Both concurrent paths running inet_twsk_purge() can cause refcount warnings and kernel crashes. Although no actual socket loss or use-after-free has been observed, the erroneous triggering of debug checks can cause system instability. The fix involves adding a mutex to enforce strict ordering, ensuring that one task blocks others from performing the final decrement and purge operations until all TIME_WAIT sockets of the dying netns are removed. This vulnerability affects Linux kernel versions identified by the commit e9bd0cca09d1 and related builds, and it was publicly disclosed on September 4, 2024. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability primarily threatens the stability and availability of Linux-based systems that utilize network namespaces extensively, such as containerized environments, cloud infrastructure, and multi-tenant servers. Network namespaces are widely used in modern Linux deployments to isolate network stacks for containers and virtualized workloads. A kernel panic or warning triggered by this race condition could lead to system crashes or forced reboots, causing downtime and disruption of critical services. This is particularly impactful for data centers, cloud service providers, and enterprises relying on Linux servers for networking, web hosting, or application delivery. While the vulnerability does not appear to cause direct data loss or unauthorized access, the denial of service through kernel instability can affect service continuity and operational reliability. Given the prevalence of Linux in European IT infrastructure, especially in sectors like finance, telecommunications, and public services, the risk of service interruptions is significant if unpatched systems encounter this race condition under workload stress or during network namespace operations.
Mitigation Recommendations
Organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2024-44991 as soon as it becomes available from their Linux distribution vendors. Since the vulnerability involves concurrency in kernel code, applying the official patch that introduces a mutex to serialize tcp_twsk_purge() calls is essential. For environments using container orchestration platforms (e.g., Kubernetes) or network namespace-heavy applications, administrators should monitor kernel logs for WARN_ON_ONCE or refcount warnings indicative of this issue. Additionally, limiting the creation and destruction of network namespaces during peak operational hours can reduce exposure until patches are applied. Employing kernel live patching solutions where supported can minimize downtime during remediation. It is also advisable to audit and test custom kernel modules or third-party networking tools that interact with netns or TCP stack to ensure compatibility with the patched kernel behavior. Finally, maintaining robust system monitoring and alerting for kernel panics or crashes will help detect exploitation or manifestation of this vulnerability promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.671Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0dea
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 11:26:33 PM
Last updated: 8/12/2025, 10:00:33 AM
Views: 12
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.