CVE-2024-49952: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prevent nf_skb_duplicated corruption syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write per-cpu variable nf_skb_duplicated in an unsafe way [1]. Disabling preemption as hinted by the splat is not enough, we have to disable soft interrupts as well. [1] BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 NF_HOOK_COND include/linux/netfilter.h:302 [inline] ip_output+0x185/0x230 net/ipv4/ip_output.c:433 ip_local_out net/ipv4/ip_output.c:129 [inline] ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4ce4f7def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 </TASK>
AI Analysis
Technical Summary
CVE-2024-49952 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_tables component responsible for packet filtering and network address translation. The issue arises from unsafe handling of the per-CPU variable nf_skb_duplicated during the execution of the nf_dup_ipv4() and nf_dup_ipv6() functions. These functions duplicate socket buffers (skbs) for IPv4 and IPv6 packets, respectively. The vulnerability is due to improper synchronization when writing to nf_skb_duplicated, which can lead to data corruption. The root cause is that disabling preemption alone is insufficient to protect the per-CPU variable; soft interrupts must also be disabled to ensure safe access. This flaw was discovered by syzbot, a kernel fuzzing tool, which reported a bug triggered by using __this_cpu_write() in preemptible code. The bug can cause kernel crashes or unpredictable behavior due to corrupted per-CPU data structures. The vulnerability affects Linux kernel versions prior to the patch that addresses this issue by disabling soft interrupts in addition to preemption during the critical section. Although no known exploits are currently reported in the wild, the flaw resides in a critical kernel networking component, making it a potential target for attackers aiming to cause denial of service or escalate privileges via kernel memory corruption. The vulnerability does not require user interaction but does require the ability to send or manipulate network packets processed by nf_tables, which is commonly enabled on many Linux systems for firewalling and packet filtering.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers, network appliances, and infrastructure devices running vulnerable Linux kernels with nf_tables enabled. Exploitation could lead to kernel crashes resulting in denial of service, impacting availability of critical services such as web hosting, cloud infrastructure, and internal network security appliances. In more sophisticated attack scenarios, memory corruption could be leveraged for privilege escalation or arbitrary code execution within the kernel context, potentially compromising confidentiality and integrity of sensitive data. Given the widespread use of Linux in European data centers, cloud providers, telecom infrastructure, and embedded systems, the vulnerability could affect a broad range of sectors including finance, government, healthcare, and telecommunications. The lack of known exploits reduces immediate risk, but the critical nature of kernel-level vulnerabilities necessitates prompt remediation to prevent future exploitation. Additionally, compliance with European cybersecurity regulations such as NIS2 and GDPR mandates timely patching of known vulnerabilities to maintain operational security and data protection standards.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2024-49952, which involves disabling soft interrupts alongside preemption when accessing the nf_skb_duplicated variable. Kernel patches are typically distributed through official Linux distribution channels; therefore, applying the latest security updates from trusted vendors (e.g., Debian, Ubuntu, Red Hat, SUSE) is essential. For environments where immediate patching is not feasible, organizations can consider temporarily disabling nf_tables or related netfilter features if they are not critical to operations, thereby reducing the attack surface. Network monitoring should be enhanced to detect unusual packet duplication or malformed packets that could trigger the vulnerability. Security teams should also audit firewall and packet filtering configurations to ensure minimal exposure. Finally, organizations should maintain robust incident response plans and kernel crash analysis capabilities to quickly identify and respond to potential exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-49952: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prevent nf_skb_duplicated corruption syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write per-cpu variable nf_skb_duplicated in an unsafe way [1]. Disabling preemption as hinted by the splat is not enough, we have to disable soft interrupts as well. [1] BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 NF_HOOK_COND include/linux/netfilter.h:302 [inline] ip_output+0x185/0x230 net/ipv4/ip_output.c:433 ip_local_out net/ipv4/ip_output.c:129 [inline] ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4ce4f7def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-49952 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_tables component responsible for packet filtering and network address translation. The issue arises from unsafe handling of the per-CPU variable nf_skb_duplicated during the execution of the nf_dup_ipv4() and nf_dup_ipv6() functions. These functions duplicate socket buffers (skbs) for IPv4 and IPv6 packets, respectively. The vulnerability is due to improper synchronization when writing to nf_skb_duplicated, which can lead to data corruption. The root cause is that disabling preemption alone is insufficient to protect the per-CPU variable; soft interrupts must also be disabled to ensure safe access. This flaw was discovered by syzbot, a kernel fuzzing tool, which reported a bug triggered by using __this_cpu_write() in preemptible code. The bug can cause kernel crashes or unpredictable behavior due to corrupted per-CPU data structures. The vulnerability affects Linux kernel versions prior to the patch that addresses this issue by disabling soft interrupts in addition to preemption during the critical section. Although no known exploits are currently reported in the wild, the flaw resides in a critical kernel networking component, making it a potential target for attackers aiming to cause denial of service or escalate privileges via kernel memory corruption. The vulnerability does not require user interaction but does require the ability to send or manipulate network packets processed by nf_tables, which is commonly enabled on many Linux systems for firewalling and packet filtering.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers, network appliances, and infrastructure devices running vulnerable Linux kernels with nf_tables enabled. Exploitation could lead to kernel crashes resulting in denial of service, impacting availability of critical services such as web hosting, cloud infrastructure, and internal network security appliances. In more sophisticated attack scenarios, memory corruption could be leveraged for privilege escalation or arbitrary code execution within the kernel context, potentially compromising confidentiality and integrity of sensitive data. Given the widespread use of Linux in European data centers, cloud providers, telecom infrastructure, and embedded systems, the vulnerability could affect a broad range of sectors including finance, government, healthcare, and telecommunications. The lack of known exploits reduces immediate risk, but the critical nature of kernel-level vulnerabilities necessitates prompt remediation to prevent future exploitation. Additionally, compliance with European cybersecurity regulations such as NIS2 and GDPR mandates timely patching of known vulnerabilities to maintain operational security and data protection standards.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2024-49952, which involves disabling soft interrupts alongside preemption when accessing the nf_skb_duplicated variable. Kernel patches are typically distributed through official Linux distribution channels; therefore, applying the latest security updates from trusted vendors (e.g., Debian, Ubuntu, Red Hat, SUSE) is essential. For environments where immediate patching is not feasible, organizations can consider temporarily disabling nf_tables or related netfilter features if they are not critical to operations, thereby reducing the attack surface. Network monitoring should be enhanced to detect unusual packet duplication or malformed packets that could trigger the vulnerability. Security teams should also audit firewall and packet filtering configurations to ensure minimal exposure. Finally, organizations should maintain robust incident response plans and kernel crash analysis capabilities to quickly identify and respond to potential exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.047Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfb28
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 3:27:23 PM
Last updated: 8/18/2025, 9:01:34 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.