CVE-2024-56642: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_exit_net() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer
AI Analysis
Technical Summary
CVE-2024-56642 is a high-severity use-after-free vulnerability in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically affecting the UDP kernel socket cleanup process within the cleanup_bearer() function. The flaw arises due to improper synchronization in the cleanup sequence of UDP kernel sockets when bearer_disable() triggers tipc_udp_disable(). The cleanup is deferred via a workqueue that calls cleanup_bearer(). However, the decrement of the workqueue count (wq_count) occurs prematurely before the kernel socket is fully released. This premature decrement allows cleanup_net() to proceed while the socket is still in use, leading to a use-after-free condition. This vulnerability was identified through syzkaller fuzz testing and confirmed by Kernel Memory Sanitizer (KMSAN) reports, which detected use-after-free errors in udp_hashslot and related UDP socket release functions. The root cause is a race condition in the workqueue handling and socket release order, which can cause kernel memory corruption. Exploitation of this flaw could allow a local attacker with limited privileges (PR:L) to execute arbitrary code or cause denial of service by crashing the kernel, impacting confidentiality, integrity, and availability. The vulnerability affects multiple recent Linux kernel versions as identified by specific commit hashes. The CVSS v3.1 score is 7.8 (high), reflecting the local attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the nature of the flaw and its kernel-level impact make it a significant risk once weaponized. The fix involves reordering the decrement of the workqueue count to occur after the socket release, ensuring proper synchronization and preventing use-after-free conditions.
Potential Impact
For European organizations, this vulnerability poses a critical risk to any systems running vulnerable Linux kernel versions, especially servers and infrastructure handling network communications using TIPC and UDP sockets. Exploitation could lead to kernel crashes (denial of service), unauthorized code execution with kernel privileges, or data leakage, severely impacting system availability and security. This is particularly concerning for critical infrastructure providers, cloud service operators, telecom companies, and enterprises relying on Linux-based networking stacks. The vulnerability's local attack vector means that attackers need some level of access, but given the prevalence of multi-tenant environments and containerized deployments in Europe, lateral movement could enable exploitation. The high impact on confidentiality, integrity, and availability could disrupt business operations, cause data breaches, and undermine trust in IT services. Additionally, the vulnerability could be leveraged in targeted attacks against strategic sectors such as finance, energy, and government institutions across Europe, where Linux is widely deployed.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, ensuring the fix that reorders the workqueue decrement is applied. In environments where immediate patching is not feasible, organizations should restrict local access to systems running vulnerable kernels by enforcing strict access controls, using hardened container runtimes, and employing kernel lockdown features where possible. Monitoring kernel logs and system behavior for signs of use-after-free exploitation attempts or unusual workqueue activity can aid early detection. Employing kernel runtime security tools such as eBPF-based monitors or KRSI (Kernel Runtime Security Instrumentation) can help detect anomalous kernel memory operations. Organizations should also review and limit the use of TIPC where not necessary, as this subsystem is the attack surface. Finally, maintaining up-to-date intrusion detection and prevention systems that can identify exploitation attempts targeting kernel vulnerabilities is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-56642: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_exit_net() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer
AI-Powered Analysis
Technical Analysis
CVE-2024-56642 is a high-severity use-after-free vulnerability in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically affecting the UDP kernel socket cleanup process within the cleanup_bearer() function. The flaw arises due to improper synchronization in the cleanup sequence of UDP kernel sockets when bearer_disable() triggers tipc_udp_disable(). The cleanup is deferred via a workqueue that calls cleanup_bearer(). However, the decrement of the workqueue count (wq_count) occurs prematurely before the kernel socket is fully released. This premature decrement allows cleanup_net() to proceed while the socket is still in use, leading to a use-after-free condition. This vulnerability was identified through syzkaller fuzz testing and confirmed by Kernel Memory Sanitizer (KMSAN) reports, which detected use-after-free errors in udp_hashslot and related UDP socket release functions. The root cause is a race condition in the workqueue handling and socket release order, which can cause kernel memory corruption. Exploitation of this flaw could allow a local attacker with limited privileges (PR:L) to execute arbitrary code or cause denial of service by crashing the kernel, impacting confidentiality, integrity, and availability. The vulnerability affects multiple recent Linux kernel versions as identified by specific commit hashes. The CVSS v3.1 score is 7.8 (high), reflecting the local attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the nature of the flaw and its kernel-level impact make it a significant risk once weaponized. The fix involves reordering the decrement of the workqueue count to occur after the socket release, ensuring proper synchronization and preventing use-after-free conditions.
Potential Impact
For European organizations, this vulnerability poses a critical risk to any systems running vulnerable Linux kernel versions, especially servers and infrastructure handling network communications using TIPC and UDP sockets. Exploitation could lead to kernel crashes (denial of service), unauthorized code execution with kernel privileges, or data leakage, severely impacting system availability and security. This is particularly concerning for critical infrastructure providers, cloud service operators, telecom companies, and enterprises relying on Linux-based networking stacks. The vulnerability's local attack vector means that attackers need some level of access, but given the prevalence of multi-tenant environments and containerized deployments in Europe, lateral movement could enable exploitation. The high impact on confidentiality, integrity, and availability could disrupt business operations, cause data breaches, and undermine trust in IT services. Additionally, the vulnerability could be leveraged in targeted attacks against strategic sectors such as finance, energy, and government institutions across Europe, where Linux is widely deployed.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, ensuring the fix that reorders the workqueue decrement is applied. In environments where immediate patching is not feasible, organizations should restrict local access to systems running vulnerable kernels by enforcing strict access controls, using hardened container runtimes, and employing kernel lockdown features where possible. Monitoring kernel logs and system behavior for signs of use-after-free exploitation attempts or unusual workqueue activity can aid early detection. Employing kernel runtime security tools such as eBPF-based monitors or KRSI (Kernel Runtime Security Instrumentation) can help detect anomalous kernel memory operations. Organizations should also review and limit the use of TIPC where not necessary, as this subsystem is the attack surface. Finally, maintaining up-to-date intrusion detection and prevention systems that can identify exploitation attempts targeting kernel vulnerabilities is recommended.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.839Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd0f1
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:24:32 PM
Last updated: 7/31/2025, 2:23:09 PM
Views: 16
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.