CVE-2024-53091 is a vulnerability identified in the Linux kernel related to the handling of socket types in the BPF (Berkeley Packet Filter) subsystem, specifically within the TLS (Transport Layer Security) software context functions tls_sw_has_ctx_tx and tls_sw_has_ctx_rx. The issue arises from an incorrect assumption in the kernel code that sockets passed to these functions are always of type IS_ICSK (inet_connection_sock). However, with the introduction of support for vsock (virtual sockets) and AF_UNIX sockets in sockmap, this assumption no longer holds true. Vsock and AF_UNIX sockets use different socket structures (vsock_sock and unix_sock respectively) rather than inet_connection_sock. Consequently, when tls_get_ctx is called on these socket types, it may return an invalid pointer, leading to a page fault in the function tls_sw_ctx_rx. This results in a kernel BUG and a crash, as evidenced by the provided kernel stack trace showing a page fault at sk_psock_strp_data_ready and subsequent kernel panic. The vulnerability was addressed by adding explicit checks for IS_ICSK socket types before dereferencing pointers, preventing invalid memory access. This fix ensures that the TLS context functions do not operate on unsupported socket types, thereby preventing kernel crashes caused by page faults. The vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems utilizing vsock and AF_UNIX sockets in conjunction with BPF sockmap and TLS offloading features. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-53091 primarily involves potential denial of service (DoS) conditions on Linux systems running vulnerable kernel versions that utilize BPF sockmap with TLS offloading and support for vsock or AF_UNIX sockets. Such systems could experience kernel panics and crashes due to page faults, leading to service interruptions. This is particularly critical for infrastructure relying on containerization, virtualization, or cloud-native applications where vsock is used for communication between host and guest or between containers. The vulnerability could disrupt critical services, affecting availability and operational continuity. While there is no indication of privilege escalation or remote code execution, the kernel crash could be triggered by local or potentially remote processes interacting with the affected socket types, increasing the attack surface. European organizations with high reliance on Linux-based servers, especially those in financial services, telecommunications, cloud providers, and critical infrastructure, may face operational risks if unpatched. The lack of known exploits reduces immediate threat but does not eliminate the risk of future exploitation once the vulnerability becomes widely known.

Organizations should promptly apply the official Linux kernel patches that include the IS_ICSK socket type checks in the tls_sw_has_ctx_tx/rx functions. Kernel upgrades to the fixed versions are the most effective mitigation. For environments where immediate patching is not feasible, administrators should audit and limit the use of vsock and AF_UNIX sockets in conjunction with BPF sockmap and TLS offloading features, as these combinations trigger the vulnerability. Monitoring kernel logs for BUG messages related to sk_psock_strp_data_ready or page faults can help detect attempts to trigger the issue. Additionally, implementing strict access controls and sandboxing for processes that interact with these socket types can reduce the risk of exploitation. Organizations should also ensure robust backup and recovery procedures to minimize downtime in case of crashes. Finally, maintaining up-to-date threat intelligence feeds and subscribing to Linux kernel security advisories will help in timely detection and response to any emerging exploits.