CVE-2024-53139: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sctp: fix possible UAF in sctp_v6_available() A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that sctp_v6_available() is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding rcu. [1] ============================= WARNING: suspicious RCU usage 6.12.0-rc5-virtme #1216 Tainted: G W ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by sctp_hello/31495: #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp stack backtrace: CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) sctp_v6_available (net/sctp/ipv6.c:701) sctp sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp sctp_bind (net/sctp/socket.c:320) sctp inet6_bind_sk (net/ipv6/af_inet6.c:465) ? security_socket_bind (security/security.c:4581 (discriminator 1)) __sys_bind (net/socket.c:1848 net/socket.c:1869) ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340) ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13)) __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1)) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f59b934a1e7 Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43 a: f7 d8 neg %eax c: 64 89 02 mov %eax,%fs:(%rdx) f: b8 ff ff ff ff mov $0xffffffff,%eax 14: eb bd jmp 0xffffffffffffffd3 16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1d: 00 00 00 20: 0f 1f 00 nopl (%rax) 23: b8 31 00 00 00 mov $0x31,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7 RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000 R10: 00007f59b9253298 R11: 000000000000 ---truncated---
AI Analysis
Technical Summary
CVE-2024-53139 is a high-severity vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation, specifically within the sctp_v6_available() function. The issue is a Use-After-Free (UAF) vulnerability, classified under CWE-416, which arises due to improper handling of Read-Copy-Update (RCU) synchronization primitives. The vulnerability is triggered when sctp_v6_available() calls dev_get_by_index_rcu() and ipv6_chk_addr() without holding the necessary RCU read lock, leading to unsafe traversal of RCU-protected lists. This improper synchronization can cause the kernel to access freed memory, potentially resulting in memory corruption, kernel crashes, or arbitrary code execution in kernel context. The vulnerability affects Linux kernel versions identified by the commit hashes provided, and was publicly disclosed on December 4, 2024. The CVSS v3.1 score is 7.8 (High), with attack vector Local, low attack complexity, requiring low privileges and no user interaction, and impacts confidentiality, integrity, and availability. The detailed kernel stack trace and lockdep warnings confirm the unsafe RCU usage and the context in which the vulnerability occurs, primarily during SCTP socket binding operations involving IPv6 addresses. Although no known exploits are currently reported in the wild, the nature of the vulnerability and its kernel-level impact make it a critical concern for systems relying on SCTP networking. SCTP is used in telecommunications and other specialized network applications, so affected systems may include servers and network appliances running vulnerable Linux kernels with SCTP enabled.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for those operating critical infrastructure, telecommunications equipment, or specialized network services that utilize SCTP over Linux. Exploitation could allow local attackers or compromised low-privilege processes to escalate privileges to kernel level, leading to full system compromise, data breaches, or denial of service through kernel panics. Confidentiality is at risk due to potential unauthorized access to kernel memory, integrity is compromised by possible arbitrary code execution, and availability can be disrupted by system crashes. Given the widespread use of Linux in European data centers, cloud environments, and telecom infrastructure, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and industrial control systems. The requirement for local access limits remote exploitation but insider threats or attackers with initial footholds could leverage this flaw to deepen their control. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept or weaponized exploits may emerge.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Since the vulnerability involves SCTP and IPv6, organizations should audit their use of SCTP sockets and consider disabling SCTP support if it is not required. For systems where SCTP is essential, applying vendor-provided kernel patches promptly is critical. Additionally, enforcing strict access controls to limit local user privileges reduces the risk of exploitation. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Control Flow Integrity (CFI), and enabling CONFIG_PROVE_RCU_LIST during development/testing can help detect similar issues early. Monitoring kernel logs for suspicious RCU warnings or crashes related to SCTP may provide early indicators of attempted exploitation. Finally, incorporating this vulnerability into vulnerability management and incident response plans ensures timely detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland
CVE-2024-53139: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sctp: fix possible UAF in sctp_v6_available() A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that sctp_v6_available() is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding rcu. [1] ============================= WARNING: suspicious RCU usage 6.12.0-rc5-virtme #1216 Tainted: G W ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by sctp_hello/31495: #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp stack backtrace: CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) sctp_v6_available (net/sctp/ipv6.c:701) sctp sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp sctp_bind (net/sctp/socket.c:320) sctp inet6_bind_sk (net/ipv6/af_inet6.c:465) ? security_socket_bind (security/security.c:4581 (discriminator 1)) __sys_bind (net/socket.c:1848 net/socket.c:1869) ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340) ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13)) __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1)) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f59b934a1e7 Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43 a: f7 d8 neg %eax c: 64 89 02 mov %eax,%fs:(%rdx) f: b8 ff ff ff ff mov $0xffffffff,%eax 14: eb bd jmp 0xffffffffffffffd3 16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1d: 00 00 00 20: 0f 1f 00 nopl (%rax) 23: b8 31 00 00 00 mov $0x31,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7 RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000 R10: 00007f59b9253298 R11: 000000000000 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53139 is a high-severity vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation, specifically within the sctp_v6_available() function. The issue is a Use-After-Free (UAF) vulnerability, classified under CWE-416, which arises due to improper handling of Read-Copy-Update (RCU) synchronization primitives. The vulnerability is triggered when sctp_v6_available() calls dev_get_by_index_rcu() and ipv6_chk_addr() without holding the necessary RCU read lock, leading to unsafe traversal of RCU-protected lists. This improper synchronization can cause the kernel to access freed memory, potentially resulting in memory corruption, kernel crashes, or arbitrary code execution in kernel context. The vulnerability affects Linux kernel versions identified by the commit hashes provided, and was publicly disclosed on December 4, 2024. The CVSS v3.1 score is 7.8 (High), with attack vector Local, low attack complexity, requiring low privileges and no user interaction, and impacts confidentiality, integrity, and availability. The detailed kernel stack trace and lockdep warnings confirm the unsafe RCU usage and the context in which the vulnerability occurs, primarily during SCTP socket binding operations involving IPv6 addresses. Although no known exploits are currently reported in the wild, the nature of the vulnerability and its kernel-level impact make it a critical concern for systems relying on SCTP networking. SCTP is used in telecommunications and other specialized network applications, so affected systems may include servers and network appliances running vulnerable Linux kernels with SCTP enabled.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for those operating critical infrastructure, telecommunications equipment, or specialized network services that utilize SCTP over Linux. Exploitation could allow local attackers or compromised low-privilege processes to escalate privileges to kernel level, leading to full system compromise, data breaches, or denial of service through kernel panics. Confidentiality is at risk due to potential unauthorized access to kernel memory, integrity is compromised by possible arbitrary code execution, and availability can be disrupted by system crashes. Given the widespread use of Linux in European data centers, cloud environments, and telecom infrastructure, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and industrial control systems. The requirement for local access limits remote exploitation but insider threats or attackers with initial footholds could leverage this flaw to deepen their control. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept or weaponized exploits may emerge.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Since the vulnerability involves SCTP and IPv6, organizations should audit their use of SCTP sockets and consider disabling SCTP support if it is not required. For systems where SCTP is essential, applying vendor-provided kernel patches promptly is critical. Additionally, enforcing strict access controls to limit local user privileges reduces the risk of exploitation. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Control Flow Integrity (CFI), and enabling CONFIG_PROVE_RCU_LIST during development/testing can help detect similar issues early. Monitoring kernel logs for suspicious RCU warnings or crashes related to SCTP may provide early indicators of attempted exploitation. Finally, incorporating this vulnerability into vulnerability management and incident response plans ensures timely detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:24.997Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbded11
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:40:33 PM
Last updated: 8/14/2025, 6:44:02 AM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.