CVE-2024-53119: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix accept_queue memory leak As the final stages of socket destruction may be delayed, it is possible that virtio_transport_recv_listen() will be called after the accept_queue has been flushed, but before the SOCK_DONE flag has been set. As a result, sockets enqueued after the flush would remain unremoved, leading to a memory leak. vsock_release __vsock_release lock virtio_transport_release virtio_transport_close schedule_delayed_work(close_work) sk_shutdown = SHUTDOWN_MASK (!) flush accept_queue release virtio_transport_recv_pkt vsock_find_bound_socket lock if flag(SOCK_DONE) return virtio_transport_recv_listen child = vsock_create_connected (!) vsock_enqueue_accept(child) release close_work lock virtio_transport_do_close set_flag(SOCK_DONE) virtio_transport_remove_sock vsock_remove_sock vsock_remove_bound release Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during socket destruction. unreferenced object 0xffff888109e3f800 (size 2040): comm "kworker/5:2", pid 371, jiffies 4294940105 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace (crc 9e5f4e84): [<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360 [<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120 [<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0 [<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310 [<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0 [<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140 [<ffffffff810fc6ac>] process_one_work+0x20c/0x570 [<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0 [<ffffffff811070dd>] kthread+0xdd/0x110 [<ffffffff81044fdd>] ret_from_fork+0x2d/0x50 [<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30
AI Analysis
Technical Summary
CVE-2024-53119 is a vulnerability identified in the Linux kernel's virtio/vsock subsystem, which is responsible for facilitating communication between virtual machines and the host via virtual sockets. The flaw arises from a memory management issue during the socket destruction process. Specifically, the accept_queue, which holds sockets waiting to be accepted, can be flushed prematurely before the SOCK_DONE flag is set. This timing discrepancy allows virtio_transport_recv_listen() to enqueue new sockets after the queue has been cleared but before the socket is fully marked as done. Consequently, these sockets remain in the queue without proper removal, leading to a memory leak. The vulnerability is rooted in the asynchronous nature of socket teardown, where delayed finalization steps cause race conditions in queue management. The patch introduces a check on the sk_shutdown flag to prevent vsock_enqueue_accept() from adding sockets during the destruction phase, thereby eliminating the leak. The technical details include kernel stack traces showing the allocation and release flow, highlighting the critical points where the memory leak occurs. This issue affects multiple Linux kernel versions as indicated by the affected commit hashes, and while no known exploits are reported in the wild, the vulnerability could degrade system stability and resource availability over time if exploited.
Potential Impact
For European organizations, the impact of CVE-2024-53119 primarily concerns systems running Linux kernels with the vulnerable virtio/vsock implementation, especially those utilizing virtualization heavily, such as cloud service providers, data centers, and enterprises relying on virtual machines for critical workloads. The memory leak could lead to gradual resource exhaustion, causing degraded performance or potential denial of service conditions on hosts managing multiple virtual socket connections. This can affect the availability and reliability of services, particularly in environments with high VM density or frequent socket creation and destruction. While the vulnerability does not directly expose confidentiality or integrity risks, the indirect impact on availability can disrupt business operations, cloud services, and virtualized infrastructure management. Given the widespread use of Linux in European IT infrastructure, including public sector, finance, telecommunications, and manufacturing, the vulnerability poses a moderate operational risk if left unpatched. The absence of known exploits reduces immediate threat levels but does not eliminate the risk of future exploitation or accidental system instability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that introduces the sk_shutdown check preventing socket enqueue during destruction. Specifically, kernel maintainers and system administrators should track the latest stable kernel releases or backported patches addressing CVE-2024-53119. For environments where immediate patching is challenging, monitoring system memory usage and socket queue lengths related to virtio/vsock can help detect abnormal resource consumption indicative of the leak. Additionally, organizations should audit virtualization configurations to minimize unnecessary socket creation and destruction cycles, potentially reducing exposure. Employing kernel live patching solutions where available can mitigate downtime during updates. Finally, integrating this vulnerability into vulnerability management and patching workflows ensures timely remediation aligned with organizational risk tolerance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-53119: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix accept_queue memory leak As the final stages of socket destruction may be delayed, it is possible that virtio_transport_recv_listen() will be called after the accept_queue has been flushed, but before the SOCK_DONE flag has been set. As a result, sockets enqueued after the flush would remain unremoved, leading to a memory leak. vsock_release __vsock_release lock virtio_transport_release virtio_transport_close schedule_delayed_work(close_work) sk_shutdown = SHUTDOWN_MASK (!) flush accept_queue release virtio_transport_recv_pkt vsock_find_bound_socket lock if flag(SOCK_DONE) return virtio_transport_recv_listen child = vsock_create_connected (!) vsock_enqueue_accept(child) release close_work lock virtio_transport_do_close set_flag(SOCK_DONE) virtio_transport_remove_sock vsock_remove_sock vsock_remove_bound release Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during socket destruction. unreferenced object 0xffff888109e3f800 (size 2040): comm "kworker/5:2", pid 371, jiffies 4294940105 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace (crc 9e5f4e84): [<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360 [<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120 [<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0 [<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310 [<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0 [<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140 [<ffffffff810fc6ac>] process_one_work+0x20c/0x570 [<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0 [<ffffffff811070dd>] kthread+0xdd/0x110 [<ffffffff81044fdd>] ret_from_fork+0x2d/0x50 [<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30
AI-Powered Analysis
Technical Analysis
CVE-2024-53119 is a vulnerability identified in the Linux kernel's virtio/vsock subsystem, which is responsible for facilitating communication between virtual machines and the host via virtual sockets. The flaw arises from a memory management issue during the socket destruction process. Specifically, the accept_queue, which holds sockets waiting to be accepted, can be flushed prematurely before the SOCK_DONE flag is set. This timing discrepancy allows virtio_transport_recv_listen() to enqueue new sockets after the queue has been cleared but before the socket is fully marked as done. Consequently, these sockets remain in the queue without proper removal, leading to a memory leak. The vulnerability is rooted in the asynchronous nature of socket teardown, where delayed finalization steps cause race conditions in queue management. The patch introduces a check on the sk_shutdown flag to prevent vsock_enqueue_accept() from adding sockets during the destruction phase, thereby eliminating the leak. The technical details include kernel stack traces showing the allocation and release flow, highlighting the critical points where the memory leak occurs. This issue affects multiple Linux kernel versions as indicated by the affected commit hashes, and while no known exploits are reported in the wild, the vulnerability could degrade system stability and resource availability over time if exploited.
Potential Impact
For European organizations, the impact of CVE-2024-53119 primarily concerns systems running Linux kernels with the vulnerable virtio/vsock implementation, especially those utilizing virtualization heavily, such as cloud service providers, data centers, and enterprises relying on virtual machines for critical workloads. The memory leak could lead to gradual resource exhaustion, causing degraded performance or potential denial of service conditions on hosts managing multiple virtual socket connections. This can affect the availability and reliability of services, particularly in environments with high VM density or frequent socket creation and destruction. While the vulnerability does not directly expose confidentiality or integrity risks, the indirect impact on availability can disrupt business operations, cloud services, and virtualized infrastructure management. Given the widespread use of Linux in European IT infrastructure, including public sector, finance, telecommunications, and manufacturing, the vulnerability poses a moderate operational risk if left unpatched. The absence of known exploits reduces immediate threat levels but does not eliminate the risk of future exploitation or accidental system instability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that introduces the sk_shutdown check preventing socket enqueue during destruction. Specifically, kernel maintainers and system administrators should track the latest stable kernel releases or backported patches addressing CVE-2024-53119. For environments where immediate patching is challenging, monitoring system memory usage and socket queue lengths related to virtio/vsock can help detect abnormal resource consumption indicative of the leak. Additionally, organizations should audit virtualization configurations to minimize unnecessary socket creation and destruction cycles, potentially reducing exposure. Employing kernel live patching solutions where available can mitigate downtime during updates. Finally, integrating this vulnerability into vulnerability management and patching workflows ensures timely remediation aligned with organizational risk tolerance.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:24.994Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd018
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:24:31 PM
Last updated: 7/26/2025, 5:00:07 AM
Views: 12
Related Threats
CVE-2025-8843: Heap-based Buffer Overflow in NASM Netwide Assember
MediumCVE-2025-8842: Use After Free in NASM Netwide Assember
MediumCVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.