CVE-2024-50304: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-50304 addresses a vulnerability in the Linux kernel's IPv4 tunneling implementation, specifically within the ip_tunnel_find() function. This function is responsible for locating IP tunnels in the per-network namespace IP tunnel hash table, which is protected by the RTNL (routing netlink) mutex to ensure thread safety. The vulnerability stems from improper use of Read-Copy-Update (RCU) synchronization primitives, which are designed to allow concurrent reads without locking. The kernel reported a suspicious RCU usage warning indicating that the RCU list was traversed outside of a proper RCU read-side critical section. This improper synchronization could lead to race conditions or inconsistent state observations when accessing the IP tunnel hash table. The fix involved adding a lockdep expression to the hlist_for_each_entry_rcu() macro call within ip_tunnel_find() to validate that the RTNL mutex is held during traversal, thereby silencing the warning and ensuring correct synchronization. The issue was identified in Linux kernel version 6.12.0-rc3-custom and affects multiple versions as indicated by the commit hashes. Although no known exploits are currently reported in the wild, the vulnerability highlights a potential risk in kernel networking code that could be leveraged to cause kernel instability or data corruption in network tunneling operations. The vulnerability does not appear to allow direct privilege escalation or remote code execution but could impact kernel reliability and network functionality under certain conditions.
Potential Impact
For European organizations, this vulnerability could affect any systems running vulnerable Linux kernel versions that utilize IP tunneling features, such as GRE or IP-in-IP tunnels, commonly used in VPNs, cloud infrastructure, and network virtualization. Potential impacts include kernel crashes or inconsistent network behavior, which could disrupt critical network services, leading to denial of service conditions. Organizations relying on Linux-based network appliances, cloud servers, or container hosts may experience degraded network performance or outages. While the vulnerability does not currently have known exploits, the complexity of kernel synchronization bugs means that sophisticated attackers or accidental misconfigurations could trigger instability. This is particularly relevant for sectors with high dependence on Linux infrastructure, such as telecommunications, finance, and government agencies in Europe. The vulnerability could also complicate incident response and forensic analysis if kernel state corruption occurs. Overall, the impact is primarily on availability and integrity of network tunneling functions rather than confidentiality.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically kernels released after the fix in 6.12.0-rc3 or corresponding stable releases. System administrators should audit their use of IP tunneling features and consider temporarily disabling unused tunnel interfaces to reduce attack surface. For environments where immediate patching is not feasible, monitoring kernel logs for suspicious RCU warnings or network stack errors can help detect attempts to exploit this issue. Additionally, organizations should implement strict access controls to limit who can configure network tunnels, as the vulnerability is triggered in the control path protected by the RTNL mutex, which requires privileged access. Employing kernel hardening techniques such as lockdown modes or mandatory access controls (e.g., SELinux, AppArmor) can further reduce risk. Finally, maintaining comprehensive backups and incident response plans will help mitigate potential disruptions caused by kernel instability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-50304: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-50304 addresses a vulnerability in the Linux kernel's IPv4 tunneling implementation, specifically within the ip_tunnel_find() function. This function is responsible for locating IP tunnels in the per-network namespace IP tunnel hash table, which is protected by the RTNL (routing netlink) mutex to ensure thread safety. The vulnerability stems from improper use of Read-Copy-Update (RCU) synchronization primitives, which are designed to allow concurrent reads without locking. The kernel reported a suspicious RCU usage warning indicating that the RCU list was traversed outside of a proper RCU read-side critical section. This improper synchronization could lead to race conditions or inconsistent state observations when accessing the IP tunnel hash table. The fix involved adding a lockdep expression to the hlist_for_each_entry_rcu() macro call within ip_tunnel_find() to validate that the RTNL mutex is held during traversal, thereby silencing the warning and ensuring correct synchronization. The issue was identified in Linux kernel version 6.12.0-rc3-custom and affects multiple versions as indicated by the commit hashes. Although no known exploits are currently reported in the wild, the vulnerability highlights a potential risk in kernel networking code that could be leveraged to cause kernel instability or data corruption in network tunneling operations. The vulnerability does not appear to allow direct privilege escalation or remote code execution but could impact kernel reliability and network functionality under certain conditions.
Potential Impact
For European organizations, this vulnerability could affect any systems running vulnerable Linux kernel versions that utilize IP tunneling features, such as GRE or IP-in-IP tunnels, commonly used in VPNs, cloud infrastructure, and network virtualization. Potential impacts include kernel crashes or inconsistent network behavior, which could disrupt critical network services, leading to denial of service conditions. Organizations relying on Linux-based network appliances, cloud servers, or container hosts may experience degraded network performance or outages. While the vulnerability does not currently have known exploits, the complexity of kernel synchronization bugs means that sophisticated attackers or accidental misconfigurations could trigger instability. This is particularly relevant for sectors with high dependence on Linux infrastructure, such as telecommunications, finance, and government agencies in Europe. The vulnerability could also complicate incident response and forensic analysis if kernel state corruption occurs. Overall, the impact is primarily on availability and integrity of network tunneling functions rather than confidentiality.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically kernels released after the fix in 6.12.0-rc3 or corresponding stable releases. System administrators should audit their use of IP tunneling features and consider temporarily disabling unused tunnel interfaces to reduce attack surface. For environments where immediate patching is not feasible, monitoring kernel logs for suspicious RCU warnings or network stack errors can help detect attempts to exploit this issue. Additionally, organizations should implement strict access controls to limit who can configure network tunnels, as the vulnerability is triggered in the control path protected by the RTNL mutex, which requires privileged access. Employing kernel hardening techniques such as lockdown modes or mandatory access controls (e.g., SELinux, AppArmor) can further reduce risk. Finally, maintaining comprehensive backups and incident response plans will help mitigate potential disruptions caused by kernel instability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.987Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf79a
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 1:57:25 PM
Last updated: 7/26/2025, 12:28:12 PM
Views: 10
Related Threats
CVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.