CVE-2024-47711: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't return OOB skb in manage_oob(). syzbot reported use-after-free in unix_stream_recv_urg(). [0] The scenario is 1. send(MSG_OOB) 2. recv(MSG_OOB) -> The consumed OOB remains in recv queue 3. send(MSG_OOB) 4. recv() -> manage_oob() returns the next skb of the consumed OOB -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared 5. recv(MSG_OOB) -> unix_sk(sk)->oob_skb is used but already freed The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb.") uncovered the issue. If the OOB skb is consumed and the next skb is peeked in manage_oob(), we still need to check if the skb is OOB. Let's do so by falling back to the following checks in manage_oob() and add the test case in selftest. Note that we need to add a similar check for SIOCATMARK. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235 CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2816 ___sys_recvmsg net/socket.c:2858 [inline] __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5360d6b4e9 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9 RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003 RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001 </TASK> Allocated by task 5235: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815 sock_alloc_send_skb include/net/sock.h:1778 [inline] queue_oob+0x108/0x680 net/unix/af_unix.c:2198 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5235: kasan_save_stack mm/kasan/common.c:47 ---truncated---
AI Analysis
Technical Summary
CVE-2024-47711 is a use-after-free vulnerability in the Linux kernel's AF_UNIX socket implementation, specifically in the handling of out-of-band (OOB) data in unix_stream_recv_urg(). The flaw arises from improper management of OOB socket buffers (skb) during consecutive send and receive operations with MSG_OOB flags. The vulnerability scenario involves sending and receiving OOB data multiple times, where the consumed OOB skb remains in the receive queue, and subsequent calls to manage_oob() incorrectly return the next skb, which is also OOB. However, the internal pointer unix_sk(sk)->oob_skb is not cleared after freeing the skb, leading to a use-after-free condition when the kernel attempts to access this freed memory. This bug was uncovered following a recent commit that changed skb reference counting behavior for OOB skbs. The issue was detected by syzbot fuzzing infrastructure and confirmed by KASAN (Kernel Address Sanitizer) reports showing slab-use-after-free errors in net/unix/af_unix.c. The vulnerability affects Linux kernel versions prior to the patch and involves kernel memory corruption risks due to dangling pointers. Exploitation could allow an attacker with the ability to send and receive OOB data on AF_UNIX sockets to execute arbitrary code or cause denial of service via kernel crashes. No public exploits are known at this time, and the patch involves adding proper checks in manage_oob() to verify skb OOB status and clearing pointers appropriately. This vulnerability is significant because AF_UNIX sockets are widely used for interprocess communication on Linux systems, including many server and desktop environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux-based systems that utilize AF_UNIX sockets for local IPC, which includes a vast majority of servers, cloud infrastructure, and embedded devices running Linux. Exploitation could lead to local privilege escalation or denial of service, impacting critical services and applications relying on stable kernel operation. Given the prevalence of Linux in European data centers, cloud providers, and enterprise environments, successful exploitation could disrupt business operations, compromise system integrity, or facilitate lateral movement by attackers. Although remote exploitation is unlikely without local access, insider threats or compromised accounts could leverage this flaw. The absence of known exploits reduces immediate risk, but the vulnerability's presence in kernel code means that unpatched systems remain exposed. Organizations in sectors with high Linux usage—such as finance, telecommunications, government, and technology—may face increased risk. Additionally, the vulnerability could affect containerized environments and virtualized infrastructure common in European cloud deployments, potentially impacting multi-tenant systems.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-47711 as soon as they are available and tested for your environment. 2. For distributions that have not yet released patches, consider upgrading to the latest stable kernel versions that include the fix. 3. Restrict and monitor the use of AF_UNIX sockets with MSG_OOB operations, especially on multi-user systems, to limit potential exploitation vectors. 4. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) and other runtime protections in development or testing environments to detect similar issues early. 5. Implement strict access controls and auditing on systems to detect unusual local socket activity that could indicate exploitation attempts. 6. For critical systems, consider isolating services that require AF_UNIX sockets in hardened containers or virtual machines to minimize impact scope. 7. Maintain up-to-date intrusion detection and endpoint protection solutions capable of detecting anomalous kernel behavior or crashes. 8. Educate system administrators about the risks of local privilege escalation vulnerabilities and ensure timely patch management policies are enforced.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-47711: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't return OOB skb in manage_oob(). syzbot reported use-after-free in unix_stream_recv_urg(). [0] The scenario is 1. send(MSG_OOB) 2. recv(MSG_OOB) -> The consumed OOB remains in recv queue 3. send(MSG_OOB) 4. recv() -> manage_oob() returns the next skb of the consumed OOB -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared 5. recv(MSG_OOB) -> unix_sk(sk)->oob_skb is used but already freed The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb.") uncovered the issue. If the OOB skb is consumed and the next skb is peeked in manage_oob(), we still need to check if the skb is OOB. Let's do so by falling back to the following checks in manage_oob() and add the test case in selftest. Note that we need to add a similar check for SIOCATMARK. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235 CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2816 ___sys_recvmsg net/socket.c:2858 [inline] __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5360d6b4e9 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9 RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003 RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001 </TASK> Allocated by task 5235: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815 sock_alloc_send_skb include/net/sock.h:1778 [inline] queue_oob+0x108/0x680 net/unix/af_unix.c:2198 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5235: kasan_save_stack mm/kasan/common.c:47 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-47711 is a use-after-free vulnerability in the Linux kernel's AF_UNIX socket implementation, specifically in the handling of out-of-band (OOB) data in unix_stream_recv_urg(). The flaw arises from improper management of OOB socket buffers (skb) during consecutive send and receive operations with MSG_OOB flags. The vulnerability scenario involves sending and receiving OOB data multiple times, where the consumed OOB skb remains in the receive queue, and subsequent calls to manage_oob() incorrectly return the next skb, which is also OOB. However, the internal pointer unix_sk(sk)->oob_skb is not cleared after freeing the skb, leading to a use-after-free condition when the kernel attempts to access this freed memory. This bug was uncovered following a recent commit that changed skb reference counting behavior for OOB skbs. The issue was detected by syzbot fuzzing infrastructure and confirmed by KASAN (Kernel Address Sanitizer) reports showing slab-use-after-free errors in net/unix/af_unix.c. The vulnerability affects Linux kernel versions prior to the patch and involves kernel memory corruption risks due to dangling pointers. Exploitation could allow an attacker with the ability to send and receive OOB data on AF_UNIX sockets to execute arbitrary code or cause denial of service via kernel crashes. No public exploits are known at this time, and the patch involves adding proper checks in manage_oob() to verify skb OOB status and clearing pointers appropriately. This vulnerability is significant because AF_UNIX sockets are widely used for interprocess communication on Linux systems, including many server and desktop environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux-based systems that utilize AF_UNIX sockets for local IPC, which includes a vast majority of servers, cloud infrastructure, and embedded devices running Linux. Exploitation could lead to local privilege escalation or denial of service, impacting critical services and applications relying on stable kernel operation. Given the prevalence of Linux in European data centers, cloud providers, and enterprise environments, successful exploitation could disrupt business operations, compromise system integrity, or facilitate lateral movement by attackers. Although remote exploitation is unlikely without local access, insider threats or compromised accounts could leverage this flaw. The absence of known exploits reduces immediate risk, but the vulnerability's presence in kernel code means that unpatched systems remain exposed. Organizations in sectors with high Linux usage—such as finance, telecommunications, government, and technology—may face increased risk. Additionally, the vulnerability could affect containerized environments and virtualized infrastructure common in European cloud deployments, potentially impacting multi-tenant systems.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-47711 as soon as they are available and tested for your environment. 2. For distributions that have not yet released patches, consider upgrading to the latest stable kernel versions that include the fix. 3. Restrict and monitor the use of AF_UNIX sockets with MSG_OOB operations, especially on multi-user systems, to limit potential exploitation vectors. 4. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) and other runtime protections in development or testing environments to detect similar issues early. 5. Implement strict access controls and auditing on systems to detect unusual local socket activity that could indicate exploitation attempts. 6. For critical systems, consider isolating services that require AF_UNIX sockets in hardened containers or virtual machines to minimize impact scope. 7. Maintain up-to-date intrusion detection and endpoint protection solutions capable of detecting anomalous kernel behavior or crashes. 8. Educate system administrators about the risks of local privilege escalation vulnerabilities and ensure timely patch management policies are enforced.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.948Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdce59
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 9:39:32 PM
Last updated: 8/18/2025, 8:52:31 AM
Views: 30
Related Threats
CVE-2025-33100: CWE-798 Use of Hard-coded Credentials in IBM Concert Software
MediumCVE-2025-33090: CWE-1333 Inefficient Regular Expression Complexity in IBM Concert Software
HighCVE-2025-27909: CWE-942 Permissive Cross-domain Policy with Untrusted Domains in IBM Concert Software
MediumCVE-2025-1759: CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') in IBM Concert Software
MediumCVE-2025-4962: CWE-284 Improper Access Control in lunary-ai lunary-ai/lunary
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.