CVE-2024-56635: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 </TASK> Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated---
AI Analysis
Technical Summary
CVE-2024-56635 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's networking subsystem, specifically within the default_operstate() function. The root cause is a race condition occurring between the dismantling of network devices and network namespaces (netns). After the __rtnl_unlock() function is called from netdev_run_todo(), the kernel can no longer guarantee that the network namespace associated with each device remains valid. This leads to a scenario where the device may be in an unregistered state (NETREG_UNREGISTERED), but subsequent code still attempts to access it, causing a use-after-free condition. The vulnerability was discovered and reported by syzbot, a kernel fuzzing infrastructure, which detected a KASAN (Kernel Address Sanitizer) slab-use-after-free error in __dev_get_by_index(). The issue manifests as an invalid memory read of a freed object, potentially leading to kernel crashes, memory corruption, or privilege escalation. The vulnerability affects Linux kernel version 6.12.0 and likely other versions with similar network stack implementations. The CVSS 3.1 score is 7.8 (high), reflecting local attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality, integrity, and availability. The fix involves adding checks to ensure the device is not in the unregistered state before accessing it and adding assertions to verify the RTNL (rtnetlink) lock state to prevent race conditions. This vulnerability falls under CWE-416 (Use After Free), a common and dangerous class of memory corruption bugs in kernel code.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread use of Linux in servers, cloud infrastructure, network appliances, and embedded systems. Exploitation could allow a local attacker with limited privileges to escalate to kernel-level privileges, leading to full system compromise. This can result in unauthorized data access, disruption of critical services, and potential lateral movement within networks. Given the kernel networking component is affected, network-facing services and infrastructure devices running vulnerable Linux kernels are at risk. The impact extends to confidentiality, integrity, and availability of systems, potentially affecting sensitive data and critical operations. Organizations relying on Linux-based virtualization, container orchestration, or network function virtualization could see amplified risks. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, especially as exploit code may be developed rapidly given the public disclosure. The vulnerability's exploitation requires local access, so initial compromise or insider threat scenarios are relevant. However, in multi-tenant or shared environments common in European data centers, the risk of privilege escalation is particularly concerning.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-56635 is critical. Monitor kernel vendor advisories and update to patched kernel versions promptly. 2. For organizations unable to upgrade immediately, consider deploying kernel live patching solutions if supported by their Linux distribution. 3. Restrict local access to systems running vulnerable kernels by enforcing strict access controls, including limiting SSH access and using multi-factor authentication. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and seccomp filters to reduce exploitation likelihood. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts or unusual network device behavior. 6. In virtualized or containerized environments, isolate workloads and minimize privileges to reduce the attack surface. 7. Conduct regular vulnerability scanning and penetration testing focusing on kernel vulnerabilities and privilege escalation paths. 8. Educate system administrators about the risks of kernel vulnerabilities and the importance of timely patching. 9. For critical infrastructure, consider implementing intrusion detection systems capable of detecting anomalous kernel-level activities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-56635: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 </TASK> Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-56635 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's networking subsystem, specifically within the default_operstate() function. The root cause is a race condition occurring between the dismantling of network devices and network namespaces (netns). After the __rtnl_unlock() function is called from netdev_run_todo(), the kernel can no longer guarantee that the network namespace associated with each device remains valid. This leads to a scenario where the device may be in an unregistered state (NETREG_UNREGISTERED), but subsequent code still attempts to access it, causing a use-after-free condition. The vulnerability was discovered and reported by syzbot, a kernel fuzzing infrastructure, which detected a KASAN (Kernel Address Sanitizer) slab-use-after-free error in __dev_get_by_index(). The issue manifests as an invalid memory read of a freed object, potentially leading to kernel crashes, memory corruption, or privilege escalation. The vulnerability affects Linux kernel version 6.12.0 and likely other versions with similar network stack implementations. The CVSS 3.1 score is 7.8 (high), reflecting local attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality, integrity, and availability. The fix involves adding checks to ensure the device is not in the unregistered state before accessing it and adding assertions to verify the RTNL (rtnetlink) lock state to prevent race conditions. This vulnerability falls under CWE-416 (Use After Free), a common and dangerous class of memory corruption bugs in kernel code.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread use of Linux in servers, cloud infrastructure, network appliances, and embedded systems. Exploitation could allow a local attacker with limited privileges to escalate to kernel-level privileges, leading to full system compromise. This can result in unauthorized data access, disruption of critical services, and potential lateral movement within networks. Given the kernel networking component is affected, network-facing services and infrastructure devices running vulnerable Linux kernels are at risk. The impact extends to confidentiality, integrity, and availability of systems, potentially affecting sensitive data and critical operations. Organizations relying on Linux-based virtualization, container orchestration, or network function virtualization could see amplified risks. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, especially as exploit code may be developed rapidly given the public disclosure. The vulnerability's exploitation requires local access, so initial compromise or insider threat scenarios are relevant. However, in multi-tenant or shared environments common in European data centers, the risk of privilege escalation is particularly concerning.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-56635 is critical. Monitor kernel vendor advisories and update to patched kernel versions promptly. 2. For organizations unable to upgrade immediately, consider deploying kernel live patching solutions if supported by their Linux distribution. 3. Restrict local access to systems running vulnerable kernels by enforcing strict access controls, including limiting SSH access and using multi-factor authentication. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and seccomp filters to reduce exploitation likelihood. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts or unusual network device behavior. 6. In virtualized or containerized environments, isolate workloads and minimize privileges to reduce the attack surface. 7. Conduct regular vulnerability scanning and penetration testing focusing on kernel vulnerabilities and privilege escalation paths. 8. Educate system administrators about the risks of kernel vulnerabilities and the importance of timely patching. 9. For critical infrastructure, consider implementing intrusion detection systems capable of detecting anomalous kernel-level activities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.838Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde3fe
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 9:58:01 PM
Last updated: 8/4/2025, 1:03:37 PM
Views: 12
Related Threats
CVE-2025-9007: Buffer Overflow in Tenda CH22
HighCVE-2025-9006: Buffer Overflow in Tenda CH22
HighCVE-2025-9005: Information Exposure Through Error Message in mtons mblog
MediumCVE-2025-9004: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-9003: Cross Site Scripting in D-Link DIR-818LW
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.