CVE-2024-50085: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated---
AI Analysis
Technical Summary
CVE-2024-50085 is a high-severity vulnerability affecting the Linux kernel's implementation of Multipath TCP (MPTCP), specifically within the path manager netlink interface. The flaw is a use-after-free (UaF) condition occurring in the function mptcp_pm_nl_rm_addr_or_subflow, which is responsible for removing addresses or subflows in the MPTCP path manager netlink code. This vulnerability was discovered and reported by the Syzkaller fuzzing tool, which triggered a kernel crash (splat) due to a slab-use-after-free error detected by Kernel Address Sanitizer (KASAN). The detailed kernel stack trace shows that the issue arises when the kernel attempts to read memory that has already been freed, leading to undefined behavior, potential kernel crashes, or arbitrary code execution in kernel context. MPTCP is an extension of TCP that allows multiple paths to be used simultaneously between two endpoints, improving redundancy and throughput. The vulnerability lies in the netlink interface used for managing MPTCP addresses and subflows, which is accessible to processes with certain privileges. The CVSS v3.1 score is 7.8 (high), reflecting that the attack vector is local (AV:L), requires low complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this flaw could allow a local attacker with limited privileges to cause a denial of service via kernel crashes or potentially escalate privileges by executing arbitrary code in kernel space. The vulnerability affects multiple Linux kernel versions, including recent mainline releases, as indicated by the affected commit hashes. No public exploits are known at this time, but the presence of a use-after-free in kernel networking code is a serious concern given the potential for privilege escalation and system compromise. The patch details are not included in the provided information, but Linux kernel maintainers have resolved the issue in recent updates. This vulnerability is categorized under CWE-416 (Use After Free), a common and dangerous class of memory corruption bugs. The technical details confirm the vulnerability is published and enriched by CISA, highlighting its significance in the cybersecurity community.
Potential Impact
For European organizations, the impact of CVE-2024-50085 can be substantial, especially for those relying on Linux-based infrastructure, servers, and network appliances that utilize MPTCP. Since MPTCP is used to enhance network reliability and performance, particularly in data centers, cloud environments, and telecom infrastructure, exploitation could lead to kernel crashes causing service outages (availability impact). Furthermore, successful exploitation could allow local attackers to escalate privileges, potentially compromising the confidentiality and integrity of sensitive data and systems. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that deploy Linux servers or network devices with MPTCP enabled are at higher risk. The vulnerability could be leveraged by malicious insiders or attackers who have gained limited access to systems to deepen their foothold or disrupt operations. Given the high CVSS score and the kernel-level impact, the threat could lead to significant operational disruption, data breaches, or lateral movement within networks. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability's nature and severity warrant prompt attention. European organizations with compliance obligations under GDPR and other regulations must consider the potential data protection implications of a kernel-level compromise. Additionally, the widespread use of Linux in European research institutions, cloud providers, and enterprises increases the attack surface.
Mitigation Recommendations
1. Immediate patching: Organizations should prioritize updating their Linux kernels to the latest versions where this vulnerability is fixed. Kernel updates from trusted Linux distributions (Debian, Ubuntu, Red Hat, SUSE, etc.) should be applied promptly. 2. Disable MPTCP if not required: If MPTCP functionality is not essential, disable it to reduce the attack surface. This can be done by disabling the MPTCP kernel module or configuring the kernel to not load MPTCP support. 3. Restrict local access: Since the vulnerability requires local privileges, tighten access controls to limit who can execute code or commands on Linux hosts. Use strong authentication, role-based access control, and monitoring to detect unauthorized access. 4. Kernel hardening: Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. Use security modules like SELinux or AppArmor to confine processes and reduce impact. 5. Monitor and audit: Implement monitoring for unusual kernel crashes or system instability that could indicate exploitation attempts. Audit logs for suspicious local activity around netlink communications related to MPTCP. 6. Vendor coordination: Coordinate with Linux distribution vendors and hardware providers to ensure timely receipt and deployment of patches. Subscribe to security advisories for rapid awareness. 7. Incident response readiness: Prepare incident response plans for potential kernel-level compromises, including forensic capabilities to analyze kernel dumps and memory. These steps go beyond generic advice by focusing on disabling unused features, restricting local access, and leveraging kernel hardening and monitoring specific to this vulnerability's characteristics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-50085: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50085 is a high-severity vulnerability affecting the Linux kernel's implementation of Multipath TCP (MPTCP), specifically within the path manager netlink interface. The flaw is a use-after-free (UaF) condition occurring in the function mptcp_pm_nl_rm_addr_or_subflow, which is responsible for removing addresses or subflows in the MPTCP path manager netlink code. This vulnerability was discovered and reported by the Syzkaller fuzzing tool, which triggered a kernel crash (splat) due to a slab-use-after-free error detected by Kernel Address Sanitizer (KASAN). The detailed kernel stack trace shows that the issue arises when the kernel attempts to read memory that has already been freed, leading to undefined behavior, potential kernel crashes, or arbitrary code execution in kernel context. MPTCP is an extension of TCP that allows multiple paths to be used simultaneously between two endpoints, improving redundancy and throughput. The vulnerability lies in the netlink interface used for managing MPTCP addresses and subflows, which is accessible to processes with certain privileges. The CVSS v3.1 score is 7.8 (high), reflecting that the attack vector is local (AV:L), requires low complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this flaw could allow a local attacker with limited privileges to cause a denial of service via kernel crashes or potentially escalate privileges by executing arbitrary code in kernel space. The vulnerability affects multiple Linux kernel versions, including recent mainline releases, as indicated by the affected commit hashes. No public exploits are known at this time, but the presence of a use-after-free in kernel networking code is a serious concern given the potential for privilege escalation and system compromise. The patch details are not included in the provided information, but Linux kernel maintainers have resolved the issue in recent updates. This vulnerability is categorized under CWE-416 (Use After Free), a common and dangerous class of memory corruption bugs. The technical details confirm the vulnerability is published and enriched by CISA, highlighting its significance in the cybersecurity community.
Potential Impact
For European organizations, the impact of CVE-2024-50085 can be substantial, especially for those relying on Linux-based infrastructure, servers, and network appliances that utilize MPTCP. Since MPTCP is used to enhance network reliability and performance, particularly in data centers, cloud environments, and telecom infrastructure, exploitation could lead to kernel crashes causing service outages (availability impact). Furthermore, successful exploitation could allow local attackers to escalate privileges, potentially compromising the confidentiality and integrity of sensitive data and systems. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that deploy Linux servers or network devices with MPTCP enabled are at higher risk. The vulnerability could be leveraged by malicious insiders or attackers who have gained limited access to systems to deepen their foothold or disrupt operations. Given the high CVSS score and the kernel-level impact, the threat could lead to significant operational disruption, data breaches, or lateral movement within networks. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability's nature and severity warrant prompt attention. European organizations with compliance obligations under GDPR and other regulations must consider the potential data protection implications of a kernel-level compromise. Additionally, the widespread use of Linux in European research institutions, cloud providers, and enterprises increases the attack surface.
Mitigation Recommendations
1. Immediate patching: Organizations should prioritize updating their Linux kernels to the latest versions where this vulnerability is fixed. Kernel updates from trusted Linux distributions (Debian, Ubuntu, Red Hat, SUSE, etc.) should be applied promptly. 2. Disable MPTCP if not required: If MPTCP functionality is not essential, disable it to reduce the attack surface. This can be done by disabling the MPTCP kernel module or configuring the kernel to not load MPTCP support. 3. Restrict local access: Since the vulnerability requires local privileges, tighten access controls to limit who can execute code or commands on Linux hosts. Use strong authentication, role-based access control, and monitoring to detect unauthorized access. 4. Kernel hardening: Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. Use security modules like SELinux or AppArmor to confine processes and reduce impact. 5. Monitor and audit: Implement monitoring for unusual kernel crashes or system instability that could indicate exploitation attempts. Audit logs for suspicious local activity around netlink communications related to MPTCP. 6. Vendor coordination: Coordinate with Linux distribution vendors and hardware providers to ensure timely receipt and deployment of patches. Subscribe to security advisories for rapid awareness. 7. Incident response readiness: Prepare incident response plans for potential kernel-level compromises, including forensic capabilities to analyze kernel dumps and memory. These steps go beyond generic advice by focusing on disabling unused features, restricting local access, and leveraging kernel hardening and monitoring specific to this vulnerability's characteristics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.942Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdcf35
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:12:18 PM
Last updated: 7/26/2025, 5:40:01 AM
Views: 13
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.