CVE-2024-46771: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 </TASK> remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'
AI Analysis
Technical Summary
CVE-2024-46771 is a vulnerability in the Linux kernel's CAN (Controller Area Network) BCM (Broadcast Manager) socket implementation. The issue arises from improper cleanup of proc filesystem entries when a bound network device is unregistered. Specifically, when a BCM socket calls connect(), it allocates a proc entry to represent the socket state. The bcm_sk(sk)->bound flag is set to prevent multiple connects. However, if the bound device is removed, bcm_notify() resets this bound flag to zero. This allows a second connect() call to allocate a proc entry with the same name without properly releasing the original proc entry, leading to a resource leak. The vulnerability was discovered via syzkaller, a kernel fuzzer, which triggered a warning about duplicate proc entries. The root cause is that the proc entry is only cleaned up during connect() but not when the network device is unregistered, causing dangling proc entries and potential resource exhaustion. The vulnerability affects Linux kernel versions prior to the patch that ensures proc entries are removed when the bound net device is unregistered. The kernel stack trace and error messages indicate the problem occurs in proc_register() and bcm_connect() functions. While the vulnerability does not appear to allow direct code execution or privilege escalation, the leaking of proc entries can lead to resource exhaustion or denial of service (DoS) conditions on affected systems. No known exploits are currently reported in the wild. The vulnerability is specific to systems using CAN BCM sockets, which are commonly used in automotive and industrial control environments for communication over CAN networks.
Potential Impact
For European organizations, the impact of CVE-2024-46771 depends largely on the deployment of Linux systems utilizing CAN BCM sockets. Industries such as automotive manufacturing, industrial automation, and embedded systems development are more likely to use CAN interfaces. A successful exploitation could lead to denial of service by exhausting kernel resources through proc entry leaks, potentially disrupting critical communication channels in automotive or industrial control systems. This could affect manufacturing lines, vehicle diagnostics, or embedded device operations. While the vulnerability does not directly expose confidential data or allow privilege escalation, the resulting instability or crashes could impact operational continuity and safety-critical systems. European organizations with embedded Linux devices or automotive testing infrastructure should be particularly vigilant. The vulnerability is less likely to affect general-purpose Linux servers or desktops that do not use CAN BCM sockets. However, given the strategic importance of automotive and industrial sectors in Europe, the risk of disruption is non-negligible.
Mitigation Recommendations
To mitigate CVE-2024-46771, organizations should apply the official Linux kernel patches that ensure proc entries are properly removed when the bound network device is unregistered. This fix prevents resource leaks and stabilizes BCM socket behavior. In environments where immediate patching is not feasible, administrators should monitor kernel logs for warnings related to proc entry duplication or bcm_connect failures as early indicators of exploitation attempts. Limiting access to CAN BCM sockets to trusted users and processes reduces the risk of triggering the vulnerability. Additionally, implementing resource limits on proc filesystem usage and socket creation can help contain potential resource exhaustion. For embedded or automotive systems, firmware updates incorporating the patched kernel version should be prioritized. Network segmentation and strict access controls around devices using CAN interfaces further reduce exposure. Regular auditing of kernel versions and vulnerability advisories is recommended to ensure timely application of security updates.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Sweden, Belgium
CVE-2024-46771: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 </TASK> remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'
AI-Powered Analysis
Technical Analysis
CVE-2024-46771 is a vulnerability in the Linux kernel's CAN (Controller Area Network) BCM (Broadcast Manager) socket implementation. The issue arises from improper cleanup of proc filesystem entries when a bound network device is unregistered. Specifically, when a BCM socket calls connect(), it allocates a proc entry to represent the socket state. The bcm_sk(sk)->bound flag is set to prevent multiple connects. However, if the bound device is removed, bcm_notify() resets this bound flag to zero. This allows a second connect() call to allocate a proc entry with the same name without properly releasing the original proc entry, leading to a resource leak. The vulnerability was discovered via syzkaller, a kernel fuzzer, which triggered a warning about duplicate proc entries. The root cause is that the proc entry is only cleaned up during connect() but not when the network device is unregistered, causing dangling proc entries and potential resource exhaustion. The vulnerability affects Linux kernel versions prior to the patch that ensures proc entries are removed when the bound net device is unregistered. The kernel stack trace and error messages indicate the problem occurs in proc_register() and bcm_connect() functions. While the vulnerability does not appear to allow direct code execution or privilege escalation, the leaking of proc entries can lead to resource exhaustion or denial of service (DoS) conditions on affected systems. No known exploits are currently reported in the wild. The vulnerability is specific to systems using CAN BCM sockets, which are commonly used in automotive and industrial control environments for communication over CAN networks.
Potential Impact
For European organizations, the impact of CVE-2024-46771 depends largely on the deployment of Linux systems utilizing CAN BCM sockets. Industries such as automotive manufacturing, industrial automation, and embedded systems development are more likely to use CAN interfaces. A successful exploitation could lead to denial of service by exhausting kernel resources through proc entry leaks, potentially disrupting critical communication channels in automotive or industrial control systems. This could affect manufacturing lines, vehicle diagnostics, or embedded device operations. While the vulnerability does not directly expose confidential data or allow privilege escalation, the resulting instability or crashes could impact operational continuity and safety-critical systems. European organizations with embedded Linux devices or automotive testing infrastructure should be particularly vigilant. The vulnerability is less likely to affect general-purpose Linux servers or desktops that do not use CAN BCM sockets. However, given the strategic importance of automotive and industrial sectors in Europe, the risk of disruption is non-negligible.
Mitigation Recommendations
To mitigate CVE-2024-46771, organizations should apply the official Linux kernel patches that ensure proc entries are properly removed when the bound network device is unregistered. This fix prevents resource leaks and stabilizes BCM socket behavior. In environments where immediate patching is not feasible, administrators should monitor kernel logs for warnings related to proc entry duplication or bcm_connect failures as early indicators of exploitation attempts. Limiting access to CAN BCM sockets to trusted users and processes reduces the risk of triggering the vulnerability. Additionally, implementing resource limits on proc filesystem usage and socket creation can help contain potential resource exhaustion. For embedded or automotive systems, firmware updates incorporating the patched kernel version should be prioritized. Network segmentation and strict access controls around devices using CAN interfaces further reduce exposure. Regular auditing of kernel versions and vulnerability advisories is recommended to ensure timely application of security updates.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.274Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe124f
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 1:26:37 AM
Last updated: 8/5/2025, 6:46:32 PM
Views: 15
Related Threats
CVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowCVE-2025-0309: Vulnerability in Netskope Netskope Client
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.