CVE-2024-53160: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu KCSAN reports a data race when access the krcp->monitor_work.timer.expires variable in the schedule_delayed_monitor_work() function: <snip> BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1: schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline] kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839 trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441 bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203 generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849 bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143 __sys_bpf+0x2e5/0x7a0 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739 x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0: __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173 add_timer_global+0x51/0x70 kernel/time/timer.c:1330 __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523 queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552 queue_delayed_work include/linux/workqueue.h:677 [inline] schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline] kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310 worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391 kthread+0x1d1/0x210 kernel/kthread.c:389 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound kfree_rcu_monitor <snip> kfree_rcu_monitor() rearms the work if a "krcp" has to be still offloaded and this is done without holding krcp->lock, whereas the kvfree_call_rcu() holds it. Fix it by acquiring the "krcp->lock" for kfree_rcu_monitor() so both functions do not race anymore.
AI Analysis
Technical Summary
CVE-2024-53160 is a concurrency vulnerability identified in the Linux kernel's Read-Copy-Update (RCU) subsystem, specifically within the kvfree_call_rcu and __mod_timer functions. The issue arises from a data race condition involving the access and modification of the krcp->monitor_work.timer.expires variable. Kernel Concurrency Sanitizer (KCSAN) detected simultaneous read and write operations on this timer variable without proper synchronization, leading to undefined behavior. The root cause is that the kfree_rcu_monitor() function re-arms the work item without acquiring the krcp->lock, while kvfree_call_rcu() does hold this lock, resulting in a race condition. This vulnerability affects the Linux kernel version 6.12.0-rc2 and likely other versions with similar code paths. Exploitation could cause kernel instability, data corruption, or crashes due to unsynchronized timer modifications in the kernel's RCU mechanism, which is critical for managing deferred freeing of memory and synchronization in concurrent environments. The fix involves ensuring that kfree_rcu_monitor() acquires the krcp->lock before modifying shared data, eliminating the race condition. This vulnerability is particularly relevant to systems heavily utilizing BPF (Berkeley Packet Filter) and kernel workqueues, as indicated by the stack traces involving bpf_map_update_value and workqueue processing functions.
Potential Impact
For European organizations, the impact of CVE-2024-53160 can be significant, especially for those relying on Linux-based infrastructure in critical environments such as cloud services, telecommunications, financial services, and industrial control systems. The vulnerability could lead to kernel panics or unpredictable behavior, causing service disruptions or downtime. In multi-tenant cloud environments prevalent in Europe, such instability could affect multiple customers simultaneously. Although no known exploits are reported in the wild, the vulnerability's presence in the kernel's core concurrency mechanisms means that sophisticated attackers or accidental triggers could cause denial of service or potentially facilitate privilege escalation if combined with other vulnerabilities. Organizations running custom or older kernel versions without the fix are at higher risk. The reliance on BPF for network filtering and monitoring in many European data centers further elevates the threat, as the vulnerability is triggered during BPF map updates and timer scheduling. This could impact network security appliances, monitoring tools, and container orchestration platforms that depend on BPF.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-53160. Since the fix involves acquiring the krcp->lock in kfree_rcu_monitor(), applying the official kernel updates from trusted Linux distributors (e.g., Debian, Ubuntu, Red Hat, SUSE) is the most effective mitigation. For environments where immediate patching is not feasible, organizations should audit and limit the use of untrusted BPF programs and restrict access to BPF syscalls to trusted users only, reducing the attack surface. Additionally, monitoring kernel logs for unusual workqueue or BPF-related errors can help detect attempts to trigger the race condition. Employing kernel concurrency sanitizers in testing environments can proactively identify similar issues. Finally, organizations should ensure robust backup and recovery procedures to minimize downtime in case of kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-53160: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu KCSAN reports a data race when access the krcp->monitor_work.timer.expires variable in the schedule_delayed_monitor_work() function: <snip> BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1: schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline] kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839 trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441 bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203 generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849 bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143 __sys_bpf+0x2e5/0x7a0 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739 x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0: __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173 add_timer_global+0x51/0x70 kernel/time/timer.c:1330 __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523 queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552 queue_delayed_work include/linux/workqueue.h:677 [inline] schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline] kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310 worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391 kthread+0x1d1/0x210 kernel/kthread.c:389 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound kfree_rcu_monitor <snip> kfree_rcu_monitor() rearms the work if a "krcp" has to be still offloaded and this is done without holding krcp->lock, whereas the kvfree_call_rcu() holds it. Fix it by acquiring the "krcp->lock" for kfree_rcu_monitor() so both functions do not race anymore.
AI-Powered Analysis
Technical Analysis
CVE-2024-53160 is a concurrency vulnerability identified in the Linux kernel's Read-Copy-Update (RCU) subsystem, specifically within the kvfree_call_rcu and __mod_timer functions. The issue arises from a data race condition involving the access and modification of the krcp->monitor_work.timer.expires variable. Kernel Concurrency Sanitizer (KCSAN) detected simultaneous read and write operations on this timer variable without proper synchronization, leading to undefined behavior. The root cause is that the kfree_rcu_monitor() function re-arms the work item without acquiring the krcp->lock, while kvfree_call_rcu() does hold this lock, resulting in a race condition. This vulnerability affects the Linux kernel version 6.12.0-rc2 and likely other versions with similar code paths. Exploitation could cause kernel instability, data corruption, or crashes due to unsynchronized timer modifications in the kernel's RCU mechanism, which is critical for managing deferred freeing of memory and synchronization in concurrent environments. The fix involves ensuring that kfree_rcu_monitor() acquires the krcp->lock before modifying shared data, eliminating the race condition. This vulnerability is particularly relevant to systems heavily utilizing BPF (Berkeley Packet Filter) and kernel workqueues, as indicated by the stack traces involving bpf_map_update_value and workqueue processing functions.
Potential Impact
For European organizations, the impact of CVE-2024-53160 can be significant, especially for those relying on Linux-based infrastructure in critical environments such as cloud services, telecommunications, financial services, and industrial control systems. The vulnerability could lead to kernel panics or unpredictable behavior, causing service disruptions or downtime. In multi-tenant cloud environments prevalent in Europe, such instability could affect multiple customers simultaneously. Although no known exploits are reported in the wild, the vulnerability's presence in the kernel's core concurrency mechanisms means that sophisticated attackers or accidental triggers could cause denial of service or potentially facilitate privilege escalation if combined with other vulnerabilities. Organizations running custom or older kernel versions without the fix are at higher risk. The reliance on BPF for network filtering and monitoring in many European data centers further elevates the threat, as the vulnerability is triggered during BPF map updates and timer scheduling. This could impact network security appliances, monitoring tools, and container orchestration platforms that depend on BPF.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-53160. Since the fix involves acquiring the krcp->lock in kfree_rcu_monitor(), applying the official kernel updates from trusted Linux distributors (e.g., Debian, Ubuntu, Red Hat, SUSE) is the most effective mitigation. For environments where immediate patching is not feasible, organizations should audit and limit the use of untrusted BPF programs and restrict access to BPF syscalls to trusted users only, reducing the attack surface. Additionally, monitoring kernel logs for unusual workqueue or BPF-related errors can help detect attempts to trigger the race condition. Employing kernel concurrency sanitizers in testing environments can proactively identify similar issues. Finally, organizations should ensure robust backup and recovery procedures to minimize downtime in case of kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.002Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdedaa
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 10:24:55 AM
Last updated: 8/18/2025, 12:15:14 AM
Views: 16
Related Threats
CVE-2025-52351: n/a
HighCVE-2025-52352: n/a
HighPre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks
HighCVE-2025-7051: CWE-284 in N-able N-central
HighCVE-2025-57768: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Alanaktion phproject
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.