CVE-2024-53168: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace: <IRQ> dump_stack_lvl+0x68/0xa0 print_address_description.constprop.0+0x2c/0x3d0 print_report+0xb4/0x270 kasan_report+0xbd/0xf0 tcp_write_timer_handler+0x156/0x3e0 tcp_write_timer+0x66/0x170 call_timer_fn+0xfb/0x1d0 __run_timers+0x3f8/0x480 run_timer_softirq+0x9b/0x100 handle_softirqs+0x153/0x390 __irq_exit_rcu+0x103/0x120 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242 RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0 default_idle_call+0x6b/0xa0 cpuidle_idle_call+0x1af/0x1f0 do_idle+0xbc/0x130 cpu_startup_entry+0x33/0x40 rest_init+0x11f/0x210 start_kernel+0x39a/0x420 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x97/0xa0 common_startup_64+0x13e/0x141 </TASK> Allocated by task 595: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x87/0x90 kmem_cache_alloc_noprof+0x12b/0x3f0 copy_net_ns+0x94/0x380 create_new_namespaces+0x24c/0x500 unshare_nsproxy_namespaces+0x75/0xf0 ksys_unshare+0x24e/0x4f0 __x64_sys_unshare+0x1f/0x30 do_syscall_64+0x70/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 100: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x54/0x70 kmem_cache_free+0x156/0x5d0 cleanup_net+0x5d3/0x670 process_one_work+0x776/0xa90 worker_thread+0x2e2/0x560 kthread+0x1a8/0x1f0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 Reproduction script: mkdir -p /mnt/nfsshare mkdir -p /mnt/nfs/netns_1 mkfs.ext4 /dev/sdb mount /dev/sdb /mnt/nfsshare systemctl restart nfs-server chmod 777 /mnt/nfsshare exportfs -i -o rw,no_root_squash *:/mnt/nfsshare ip netns add netns_1 ip link add name veth_1_peer type veth peer veth_1 ifconfig veth_1_peer 11.11.0.254 up ip link set veth_1 netns netns_1 ip netns exec netns_1 ifconfig veth_1 11.11.0.1 ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \ --tcp-flags FIN FIN -j DROP (note: In my environment, a DESTROY_CLIENTID operation is always sent immediately, breaking the nfs tcp connection.) ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \ 11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1 ip netns del netns_1 The reason here is that the tcp socket in netns_1 (nfs side) has been shutdown and closed (done in xs_destroy), but the FIN message (with ack) is discarded, and the nfsd side keeps sending retransmission messages. As a result, when the tcp sock in netns_1 processes the received message, it sends the message (FIN message) in the sending queue, and the tcp timer is re-established. When the network namespace is deleted, the net structure accessed by tcp's timer handler function causes problems. To fix this problem, let's hold netns refcnt for the tcp kernel socket as done in other modules. This is an ugly hack which can easily be backported to earlier kernels. A proper fix which cleans up the interfaces will follow, but may not be so easy to backport.
AI Analysis
Technical Summary
CVE-2024-53168 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's sunrpc subsystem, specifically related to the handling of TCP sockets within network namespaces. The vulnerability arises from improper management of the lifecycle of TCP sockets used by the sunrpc kernel module, which is heavily involved in NFS (Network File System) operations. The root cause is that when a network namespace is deleted, the TCP socket associated with the sunrpc subsystem may still have active timers (tcp_write_timer_handler) referencing freed memory structures, leading to a use-after-free condition. This occurs because the FIN message acknowledgment is discarded, causing retransmission attempts and re-establishment of TCP timers on a socket whose underlying network namespace context has been destroyed. The kernel's KASAN (Kernel Address Sanitizer) detected this as a slab-use-after-free error during tcp_write_timer_handler execution. The vulnerability can be triggered by manipulating network namespaces and NFS mounts, as demonstrated by the provided reproduction script which involves creating network namespaces, configuring virtual Ethernet pairs, mounting NFS shares, and deleting namespaces to trigger the condition. Exploitation requires local privileges with the ability to create and manipulate network namespaces and mount NFS shares, but no user interaction is needed once these privileges are obtained. The impact includes potential kernel crashes (denial of service), and given the high CVSS score (7.8) with high confidentiality, integrity, and availability impact, it could also lead to privilege escalation or arbitrary code execution in kernel context if exploited further. The fix involves holding a reference count on the network namespace for the TCP kernel socket to prevent premature freeing, although this is described as an interim 'ugly hack' pending a more thorough cleanup of interfaces. This vulnerability is relevant to Linux kernel versions around 6.12.0-rc4 and likely earlier versions due to the nature of the fix being backportable.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those relying on Linux servers for critical infrastructure, cloud services, and enterprise applications that utilize NFS and network namespaces. The ability to cause kernel crashes can lead to denial of service on critical systems, disrupting business operations and services. Moreover, the potential for privilege escalation or arbitrary code execution could allow attackers to gain root-level access, compromising confidentiality and integrity of sensitive data. Organizations running containerized environments or virtualized network setups using Linux namespaces are particularly at risk since the exploit involves namespace manipulation. Given the widespread use of Linux in European data centers, telecom infrastructure, and government systems, the impact could be broad. Additionally, disruption of NFS services can affect storage availability and data sharing across networks, impacting operational continuity. The vulnerability also raises concerns for cloud providers and managed service providers in Europe who offer Linux-based services, as exploitation could cascade to multiple tenants or customers.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2024-53168 as soon as they become available. Monitor vendor advisories for backported patches in enterprise Linux distributions. 2. Restrict privileges: Limit the ability to create and manipulate network namespaces and mount NFS shares to trusted administrators only, reducing the attack surface. 3. Network namespace hygiene: Avoid unnecessary creation and deletion of network namespaces on production systems, and monitor namespace lifecycle events for anomalies. 4. Harden NFS configurations: Use secure NFS configurations, including restricting exports, disabling root squashing only when necessary, and monitoring NFS traffic for unusual retransmission patterns. 5. Kernel hardening: Employ kernel security modules (e.g., SELinux, AppArmor) to restrict kernel module interactions and limit potential exploitation paths. 6. Monitoring and detection: Implement monitoring for kernel crashes, KASAN reports, and unusual TCP retransmission or FIN message patterns that could indicate exploitation attempts. 7. Incident response readiness: Prepare for rapid response to kernel crashes or suspected exploitation by maintaining backups and failover capabilities for critical Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-53168: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace: <IRQ> dump_stack_lvl+0x68/0xa0 print_address_description.constprop.0+0x2c/0x3d0 print_report+0xb4/0x270 kasan_report+0xbd/0xf0 tcp_write_timer_handler+0x156/0x3e0 tcp_write_timer+0x66/0x170 call_timer_fn+0xfb/0x1d0 __run_timers+0x3f8/0x480 run_timer_softirq+0x9b/0x100 handle_softirqs+0x153/0x390 __irq_exit_rcu+0x103/0x120 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242 RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0 default_idle_call+0x6b/0xa0 cpuidle_idle_call+0x1af/0x1f0 do_idle+0xbc/0x130 cpu_startup_entry+0x33/0x40 rest_init+0x11f/0x210 start_kernel+0x39a/0x420 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x97/0xa0 common_startup_64+0x13e/0x141 </TASK> Allocated by task 595: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x87/0x90 kmem_cache_alloc_noprof+0x12b/0x3f0 copy_net_ns+0x94/0x380 create_new_namespaces+0x24c/0x500 unshare_nsproxy_namespaces+0x75/0xf0 ksys_unshare+0x24e/0x4f0 __x64_sys_unshare+0x1f/0x30 do_syscall_64+0x70/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 100: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x54/0x70 kmem_cache_free+0x156/0x5d0 cleanup_net+0x5d3/0x670 process_one_work+0x776/0xa90 worker_thread+0x2e2/0x560 kthread+0x1a8/0x1f0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 Reproduction script: mkdir -p /mnt/nfsshare mkdir -p /mnt/nfs/netns_1 mkfs.ext4 /dev/sdb mount /dev/sdb /mnt/nfsshare systemctl restart nfs-server chmod 777 /mnt/nfsshare exportfs -i -o rw,no_root_squash *:/mnt/nfsshare ip netns add netns_1 ip link add name veth_1_peer type veth peer veth_1 ifconfig veth_1_peer 11.11.0.254 up ip link set veth_1 netns netns_1 ip netns exec netns_1 ifconfig veth_1 11.11.0.1 ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \ --tcp-flags FIN FIN -j DROP (note: In my environment, a DESTROY_CLIENTID operation is always sent immediately, breaking the nfs tcp connection.) ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \ 11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1 ip netns del netns_1 The reason here is that the tcp socket in netns_1 (nfs side) has been shutdown and closed (done in xs_destroy), but the FIN message (with ack) is discarded, and the nfsd side keeps sending retransmission messages. As a result, when the tcp sock in netns_1 processes the received message, it sends the message (FIN message) in the sending queue, and the tcp timer is re-established. When the network namespace is deleted, the net structure accessed by tcp's timer handler function causes problems. To fix this problem, let's hold netns refcnt for the tcp kernel socket as done in other modules. This is an ugly hack which can easily be backported to earlier kernels. A proper fix which cleans up the interfaces will follow, but may not be so easy to backport.
AI-Powered Analysis
Technical Analysis
CVE-2024-53168 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's sunrpc subsystem, specifically related to the handling of TCP sockets within network namespaces. The vulnerability arises from improper management of the lifecycle of TCP sockets used by the sunrpc kernel module, which is heavily involved in NFS (Network File System) operations. The root cause is that when a network namespace is deleted, the TCP socket associated with the sunrpc subsystem may still have active timers (tcp_write_timer_handler) referencing freed memory structures, leading to a use-after-free condition. This occurs because the FIN message acknowledgment is discarded, causing retransmission attempts and re-establishment of TCP timers on a socket whose underlying network namespace context has been destroyed. The kernel's KASAN (Kernel Address Sanitizer) detected this as a slab-use-after-free error during tcp_write_timer_handler execution. The vulnerability can be triggered by manipulating network namespaces and NFS mounts, as demonstrated by the provided reproduction script which involves creating network namespaces, configuring virtual Ethernet pairs, mounting NFS shares, and deleting namespaces to trigger the condition. Exploitation requires local privileges with the ability to create and manipulate network namespaces and mount NFS shares, but no user interaction is needed once these privileges are obtained. The impact includes potential kernel crashes (denial of service), and given the high CVSS score (7.8) with high confidentiality, integrity, and availability impact, it could also lead to privilege escalation or arbitrary code execution in kernel context if exploited further. The fix involves holding a reference count on the network namespace for the TCP kernel socket to prevent premature freeing, although this is described as an interim 'ugly hack' pending a more thorough cleanup of interfaces. This vulnerability is relevant to Linux kernel versions around 6.12.0-rc4 and likely earlier versions due to the nature of the fix being backportable.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those relying on Linux servers for critical infrastructure, cloud services, and enterprise applications that utilize NFS and network namespaces. The ability to cause kernel crashes can lead to denial of service on critical systems, disrupting business operations and services. Moreover, the potential for privilege escalation or arbitrary code execution could allow attackers to gain root-level access, compromising confidentiality and integrity of sensitive data. Organizations running containerized environments or virtualized network setups using Linux namespaces are particularly at risk since the exploit involves namespace manipulation. Given the widespread use of Linux in European data centers, telecom infrastructure, and government systems, the impact could be broad. Additionally, disruption of NFS services can affect storage availability and data sharing across networks, impacting operational continuity. The vulnerability also raises concerns for cloud providers and managed service providers in Europe who offer Linux-based services, as exploitation could cascade to multiple tenants or customers.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2024-53168 as soon as they become available. Monitor vendor advisories for backported patches in enterprise Linux distributions. 2. Restrict privileges: Limit the ability to create and manipulate network namespaces and mount NFS shares to trusted administrators only, reducing the attack surface. 3. Network namespace hygiene: Avoid unnecessary creation and deletion of network namespaces on production systems, and monitor namespace lifecycle events for anomalies. 4. Harden NFS configurations: Use secure NFS configurations, including restricting exports, disabling root squashing only when necessary, and monitoring NFS traffic for unusual retransmission patterns. 5. Kernel hardening: Employ kernel security modules (e.g., SELinux, AppArmor) to restrict kernel module interactions and limit potential exploitation paths. 6. Monitoring and detection: Implement monitoring for kernel crashes, KASAN reports, and unusual TCP retransmission or FIN message patterns that could indicate exploitation attempts. 7. Incident response readiness: Prepare for rapid response to kernel crashes or suspected exploitation by maintaining backups and failover capabilities for critical Linux systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.005Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdedf9
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:42:34 PM
Last updated: 8/20/2025, 1:12:07 PM
Views: 23
Related Threats
CVE-2025-8678: CWE-918 Server-Side Request Forgery (SSRF) in johnbillion WP Crontrol
MediumCVE-2025-57699: Unquoted search path or element in Western Digital Corporation Western Digital Kitfox for Windows
MediumCVE-2025-8281: CWE-79 Cross-Site Scripting (XSS) in WP Talroo
HighCVE-2025-41452: CWE-15: External Control of System or Configuration Setting in Danfoss AK-SM8xxA Series
MediumCVE-2025-41451: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Danfoss AK-SM8xxA Series
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.