CVE-2024-50154: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
AI Analysis
Technical Summary
CVE-2024-50154 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's TCP/DCCP networking stack, specifically related to the handling of timers in the reqsk_queue_unlink() function. The root cause stems from improper use of the timer_pending() function within reqsk_queue_unlink(), which was introduced in commit 83fccfc3940c to avoid deadlocks by preventing del_timer_sync() calls from reqsk_timer_handler(). However, this introduced a race condition where the timer_pending() check could miss a timer that was just detached by expire_timers(), leading to the reqsk timer continuing to run and retransmit SYN+ACK packets multiple times until expiration (default 63 seconds). The vulnerability manifests when a socket (req->sk) is closed before the timer expires. The sequence involves inet_csk_complete_hashdance() calling inet_csk_reqsk_queue_drop() but missing del_timer_sync(), allowing the reqsk timer to execute and reschedule. Meanwhile, the socket is accepted and closed, but the timer still holds a reference. When the timer executes again, it accesses the freed socket memory, resulting in a use-after-free condition. This UAF can be triggered by BPF programs attached to trace_tcp_retransmit_synack, which access req->sk via bpf_sk_storage_get_tracing(). The vulnerability is subtle because the reqsk timer is pinned, so it does not occur in most use cases, but the race window exists. Exploitation could lead to arbitrary kernel memory access, potentially allowing privilege escalation, denial of service, or information disclosure. The CVSS 3.1 score is 7.8 (high), reflecting local access with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The vulnerability affects Linux kernel versions containing the problematic commit hashes listed, requiring patching to avoid exploitation.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those running Linux-based infrastructure, including servers, network appliances, and cloud environments. The vulnerability could be exploited by a local attacker or a malicious process with limited privileges to cause kernel memory corruption, leading to privilege escalation or system crashes. This can disrupt critical services, compromise sensitive data, or allow attackers to gain persistent control over affected systems. Given the widespread use of Linux in European data centers, telecommunications, financial institutions, and government agencies, the impact could be broad. Systems running custom or older kernels that have not yet integrated the fix are particularly vulnerable. The use of BPF programs in observability or security tooling could inadvertently increase exposure. Additionally, denial of service attacks exploiting this flaw could affect availability of critical infrastructure. The vulnerability's exploitation complexity is low for privileged users, making insider threats or compromised accounts a concern. Overall, the vulnerability threatens confidentiality, integrity, and availability of Linux-based systems across Europe.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that remove the use of timer_pending() in reqsk_queue_unlink() and fix the race condition as described. Monitor kernel mailing lists and vendor advisories for updated stable kernel releases containing the fix. 2. Kernel version management: Maintain an inventory of Linux kernel versions in use and prioritize upgrades or backported patches for affected versions. 3. Restrict local access: Limit local user privileges to prevent untrusted users from loading or attaching BPF programs or triggering the vulnerable code paths. 4. Harden BPF usage: Audit and control BPF program deployment, especially those attached to tcp retransmit tracing, to reduce attack surface. 5. Monitor for anomalies: Implement kernel-level monitoring and logging to detect unusual timer behavior or repeated SYN+ACK retransmissions that could indicate exploitation attempts. 6. Use security modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to confine processes and reduce the impact of potential exploitation. 7. Incident response readiness: Prepare to respond to potential exploitation incidents with forensic capabilities to analyze kernel memory and logs. 8. Vendor coordination: Work with Linux distribution vendors for timely patch availability and guidance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-50154: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
AI-Powered Analysis
Technical Analysis
CVE-2024-50154 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's TCP/DCCP networking stack, specifically related to the handling of timers in the reqsk_queue_unlink() function. The root cause stems from improper use of the timer_pending() function within reqsk_queue_unlink(), which was introduced in commit 83fccfc3940c to avoid deadlocks by preventing del_timer_sync() calls from reqsk_timer_handler(). However, this introduced a race condition where the timer_pending() check could miss a timer that was just detached by expire_timers(), leading to the reqsk timer continuing to run and retransmit SYN+ACK packets multiple times until expiration (default 63 seconds). The vulnerability manifests when a socket (req->sk) is closed before the timer expires. The sequence involves inet_csk_complete_hashdance() calling inet_csk_reqsk_queue_drop() but missing del_timer_sync(), allowing the reqsk timer to execute and reschedule. Meanwhile, the socket is accepted and closed, but the timer still holds a reference. When the timer executes again, it accesses the freed socket memory, resulting in a use-after-free condition. This UAF can be triggered by BPF programs attached to trace_tcp_retransmit_synack, which access req->sk via bpf_sk_storage_get_tracing(). The vulnerability is subtle because the reqsk timer is pinned, so it does not occur in most use cases, but the race window exists. Exploitation could lead to arbitrary kernel memory access, potentially allowing privilege escalation, denial of service, or information disclosure. The CVSS 3.1 score is 7.8 (high), reflecting local access with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The vulnerability affects Linux kernel versions containing the problematic commit hashes listed, requiring patching to avoid exploitation.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those running Linux-based infrastructure, including servers, network appliances, and cloud environments. The vulnerability could be exploited by a local attacker or a malicious process with limited privileges to cause kernel memory corruption, leading to privilege escalation or system crashes. This can disrupt critical services, compromise sensitive data, or allow attackers to gain persistent control over affected systems. Given the widespread use of Linux in European data centers, telecommunications, financial institutions, and government agencies, the impact could be broad. Systems running custom or older kernels that have not yet integrated the fix are particularly vulnerable. The use of BPF programs in observability or security tooling could inadvertently increase exposure. Additionally, denial of service attacks exploiting this flaw could affect availability of critical infrastructure. The vulnerability's exploitation complexity is low for privileged users, making insider threats or compromised accounts a concern. Overall, the vulnerability threatens confidentiality, integrity, and availability of Linux-based systems across Europe.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that remove the use of timer_pending() in reqsk_queue_unlink() and fix the race condition as described. Monitor kernel mailing lists and vendor advisories for updated stable kernel releases containing the fix. 2. Kernel version management: Maintain an inventory of Linux kernel versions in use and prioritize upgrades or backported patches for affected versions. 3. Restrict local access: Limit local user privileges to prevent untrusted users from loading or attaching BPF programs or triggering the vulnerable code paths. 4. Harden BPF usage: Audit and control BPF program deployment, especially those attached to tcp retransmit tracing, to reduce attack surface. 5. Monitor for anomalies: Implement kernel-level monitoring and logging to detect unusual timer behavior or repeated SYN+ACK retransmissions that could indicate exploitation attempts. 6. Use security modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to confine processes and reduce the impact of potential exploitation. 7. Incident response readiness: Prepare to respond to potential exploitation incidents with forensic capabilities to analyze kernel memory and logs. 8. Vendor coordination: Work with Linux distribution vendors for timely patch availability and guidance.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.960Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdcf49
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:12:52 PM
Last updated: 8/16/2025, 12:31:03 PM
Views: 15
Related Threats
CVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumCVE-2025-31715: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
CriticalCVE-2025-31714: CWE-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
MediumCVE-2025-31713: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
HighCVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.