CVE-2024-49861 is a vulnerability identified in the Linux kernel's Berkeley Packet Filter (BPF) subsystem. The issue arises from improper enforcement of read-only restrictions on certain BPF maps, specifically those marked as frozen or read-only (e.g., .rodata). The vulnerability allows a BPF program to write to these read-only maps through specific helper functions that accept arguments annotated as ARG_PTR_TO_LONG or ARG_PTR_TO_INT. The root cause is that during argument validation in check_func_arg(), the meta->raw_mode flag is not set for these argument types, leading check_helper_mem_access() to incorrectly assume a read-only access (BPF_READ) when verifying permissions. Consequently, the verifier permits writes to read-only maps, violating intended memory protections. The fix involves re-annotating these helper arguments to include MEM_UNINIT and MEM_ALIGNED flags, ensuring proper alignment and indicating that the memory is written to rather than read from. This change also removes the special cases for ARG_PTR_TO_LONG/INT in favor of ARG_PTR_TO_FIXED_SIZE_MEM with alignment, enabling the verifier to correctly enforce write restrictions. This vulnerability affects Linux kernel versions identified by the given commit hashes and was publicly disclosed on October 21, 2024. No known exploits are currently reported in the wild. The vulnerability could allow a local attacker with the ability to load or execute BPF programs to write to memory regions that should be immutable, potentially leading to privilege escalation, data corruption, or bypass of security mechanisms relying on read-only BPF maps.

For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions with BPF enabled and accessible to unprivileged or semi-privileged users capable of loading BPF programs. The BPF subsystem is widely used for networking, observability, and security tools, so exploitation could undermine the integrity of security monitoring, firewall rules, or other kernel-level protections. Successful exploitation could lead to privilege escalation, allowing attackers to gain root-level access or persist undetected by modifying supposedly immutable kernel data structures. This could impact critical infrastructure, cloud services, telecommunications, and enterprise environments prevalent in Europe. Additionally, the ability to write to read-only maps could facilitate advanced attacks such as kernel code manipulation or bypassing security modules, increasing the potential for data breaches or service disruptions. Given the widespread use of Linux in European data centers, government agencies, and industrial control systems, the vulnerability could have broad implications if exploited.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-49861 as soon as it becomes available. Until patches are applied, organizations should restrict the ability to load or execute BPF programs to trusted users only, ideally limiting this capability to root or highly privileged accounts. Employing Linux Security Modules (LSMs) like SELinux or AppArmor with strict policies can help prevent unauthorized BPF program loading. Monitoring and auditing BPF program loads and executions can provide early detection of exploitation attempts. Network segmentation and isolation of critical systems running vulnerable kernels can reduce exposure. For cloud environments, ensure that container runtimes and orchestration platforms enforce strict privilege boundaries and do not allow untrusted containers to load BPF programs. Finally, organizations should review and harden kernel parameters related to BPF and consider disabling BPF features if not required for operational needs.