CVE-2024-50203 is a vulnerability identified in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem on the ARM64 architecture, specifically when tag-based Kernel Address Sanitizer (KASAN) is enabled. The vulnerability arises from an inconsistency in how the kernel calculates the size of emitted code for a structure called bpf_tramp_image during two distinct phases: the size calculation pass and the code generation pass. When the BPF_TRAMP_F_CALL_ORIG flag is enabled, the kernel passes the address of the bpf_tramp_image struct on the stack during size calculation, but during code generation, it uses an address on the heap. If the heap address is tagged (a feature of tag-based KASAN), the emitted code becomes longer than initially calculated, leading to a heap buffer overflow. This overflow occurs because the function emit_a64_mov_i64() emits more instructions than accounted for, causing memory corruption. Even without tag-based KASAN, a similar issue could occur if a 16-bit word of the stack address is all-ones during size calculation, leading to underestimation of required code size. The fix involves assuming the worst-case scenario of four instructions when calculating the size of the bpf_tramp_image address emission, preventing buffer overflow. This vulnerability affects specific Linux kernel commits identified by their hashes, indicating it is present in certain recent kernel versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels on ARM64 platforms with BPF and tag-based KASAN enabled. The BPF subsystem is widely used for network packet filtering, tracing, and security monitoring, so exploitation could lead to heap buffer overflows, potentially allowing attackers to execute arbitrary code or cause denial of service by crashing the kernel. Although exploitation requires specific kernel configurations and conditions, successful attacks could compromise system integrity and availability. This is particularly critical for infrastructure providers, cloud services, telecom operators, and embedded device manufacturers in Europe that rely on ARM64 Linux systems. The absence of known exploits reduces immediate risk, but the vulnerability's nature means it could be leveraged in targeted attacks or combined with other vulnerabilities. Confidentiality impact is moderate to high if attackers gain code execution, while integrity and availability impacts are high due to potential kernel crashes or privilege escalations.

European organizations should prioritize applying the official Linux kernel patches that address this vulnerability, ensuring that the fix which assumes the worst-case instruction size during code emission is incorporated. Systems using ARM64 architectures with BPF and tag-based KASAN enabled should be audited to confirm whether they are running vulnerable kernel versions. Where patching is not immediately feasible, organizations should consider disabling BPF_TRAMP_F_CALL_ORIG functionality or tag-based KASAN temporarily, though this may reduce debugging capabilities. Additionally, monitoring kernel logs for unusual BPF-related errors or crashes can provide early detection of exploitation attempts. Organizations should also implement strict access controls to limit who can load or manipulate BPF programs, as exploitation requires kernel-level interactions. Finally, maintaining up-to-date kernel versions and subscribing to Linux kernel security advisories will help ensure timely responses to emerging threats.