CVE-2024-56650: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: fix LED ID check in led_tg_check() Syzbot has reported the following BUG detected by KASAN: BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 Read of size 1 at addr ffff8881022da0c8 by task repro/5879 ... Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 print_report+0x169/0x550 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x45f/0x530 ? __phys_addr+0xba/0x170 ? strlen+0x58/0x70 kasan_report+0x143/0x180 ? strlen+0x58/0x70 strlen+0x58/0x70 kstrdup+0x20/0x80 led_tg_check+0x18b/0x3c0 xt_check_target+0x3bb/0xa40 ? __pfx_xt_check_target+0x10/0x10 ? stack_depot_save_flags+0x6e4/0x830 ? nft_target_init+0x174/0xc30 nft_target_init+0x82d/0xc30 ? __pfx_nft_target_init+0x10/0x10 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? rcu_is_watching+0x15/0xb0 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? __kmalloc_noprof+0x21a/0x400 nf_tables_newrule+0x1860/0x2980 ? __pfx_nf_tables_newrule+0x10/0x10 ? __nla_parse+0x40/0x60 nfnetlink_rcv+0x14e5/0x2ab0 ? __pfx_validate_chain+0x10/0x10 ? __pfx_nfnetlink_rcv+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? netlink_deliver_tap+0x2e/0x1b0 ? __pfx_lock_release+0x10/0x10 ? netlink_deliver_tap+0x2e/0x1b0 netlink_unicast+0x7f8/0x990 ? __pfx_netlink_unicast+0x10/0x10 ? __virt_addr_valid+0x183/0x530 ? __check_object_size+0x48e/0x900 netlink_sendmsg+0x8e4/0xcb0 ? __pfx_netlink_sendmsg+0x10/0x10 ? aa_sock_msg_perm+0x91/0x160 ? __pfx_netlink_sendmsg+0x10/0x10 __sock_sendmsg+0x223/0x270 ____sys_sendmsg+0x52a/0x7e0 ? __pfx_____sys_sendmsg+0x10/0x10 __sys_sendmsg+0x292/0x380 ? __pfx___sys_sendmsg+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? exc_page_fault+0x590/0x8c0 ? do_syscall_64+0xb6/0x230 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> Since an invalid (without '\0' byte at all) byte sequence may be passed from userspace, add an extra check to ensure that such a sequence is rejected as possible ID and so never passed to 'kstrdup()' and further.
AI Analysis
Technical Summary
CVE-2024-56650 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the x_tables module that handles packet filtering rules. The issue arises from improper validation in the led_tg_check() function, which is responsible for checking LED trigger IDs. The vulnerability was discovered through a Kernel Address Sanitizer (KASAN) report indicating a slab-out-of-bounds read in the strlen function, triggered by an invalid byte sequence passed from userspace. This invalid sequence lacks a terminating null byte ('\0'), which leads to an out-of-bounds read when the kernel attempts to duplicate the string using kstrdup(). The root cause is the absence of a proper check to reject such malformed sequences before they reach kstrdup(), potentially causing memory corruption or kernel crashes. The call trace shows the vulnerability is triggered during netfilter rule processing, particularly when new rules are added or modified via netlink messages. This vulnerability affects Linux kernel versions identified by the commit hash 268cb38e1802db560c73167e643f14a3dcb4b07c and likely other versions containing the same code. Although no known exploits are reported in the wild yet, the flaw could be exploited by a local attacker or a process with the ability to send netlink messages to the kernel, potentially leading to denial of service (kernel panic) or other undefined behavior due to memory corruption. The fix involves adding an extra validation step to ensure that any byte sequence without a terminating null byte is rejected early, preventing unsafe operations on malformed input. This vulnerability highlights the risks associated with kernel subsystems that parse user-supplied data without sufficient validation, especially in critical networking components like netfilter.
Potential Impact
For European organizations, the impact of CVE-2024-56650 can be significant, particularly for those relying on Linux-based infrastructure for networking, firewalls, or security appliances. The netfilter subsystem is widely used in Linux distributions common in enterprise environments, cloud services, and telecommunications equipment. Exploitation could lead to kernel crashes, causing denial of service on critical servers or network devices, disrupting business operations and potentially affecting availability of services. In multi-tenant cloud environments or shared hosting providers, a compromised or misbehaving container or virtual machine could exploit this vulnerability to impact the host kernel's stability. Although the vulnerability does not currently have known remote exploit vectors, any local user or compromised process with netlink access could trigger it, making it a concern for systems with multiple users or exposed management interfaces. The memory corruption risk, while not explicitly confirmed to allow privilege escalation, could be leveraged in complex attack chains. European organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Linux-based firewalls and network security devices, may face increased risk of service disruption or targeted attacks exploiting this flaw. The lack of a CVSS score and known exploits suggests the threat is emerging but should be addressed promptly to maintain system integrity and availability.
Mitigation Recommendations
To mitigate CVE-2024-56650, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for this vulnerability as soon as they become available from their Linux distribution vendors. 2) Restrict access to netlink interfaces to trusted users and processes only, minimizing the attack surface by enforcing strict permissions and using security modules like SELinux or AppArmor to limit netlink message capabilities. 3) Monitor kernel logs and system behavior for signs of crashes or anomalies related to netfilter rule changes or netlink communications. 4) Employ kernel hardening techniques such as enabling KASAN or other runtime memory safety tools in testing environments to detect similar issues proactively. 5) For critical network infrastructure, consider implementing additional network segmentation and redundancy to reduce the impact of potential denial-of-service conditions. 6) Review and audit firewall and netfilter rule management processes to ensure that only validated and authorized changes are applied, preventing injection of malformed rules that could trigger the vulnerability. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patch releases and exploit developments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy, Spain, Poland
CVE-2024-56650: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: fix LED ID check in led_tg_check() Syzbot has reported the following BUG detected by KASAN: BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70 Read of size 1 at addr ffff8881022da0c8 by task repro/5879 ... Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 print_report+0x169/0x550 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x45f/0x530 ? __phys_addr+0xba/0x170 ? strlen+0x58/0x70 kasan_report+0x143/0x180 ? strlen+0x58/0x70 strlen+0x58/0x70 kstrdup+0x20/0x80 led_tg_check+0x18b/0x3c0 xt_check_target+0x3bb/0xa40 ? __pfx_xt_check_target+0x10/0x10 ? stack_depot_save_flags+0x6e4/0x830 ? nft_target_init+0x174/0xc30 nft_target_init+0x82d/0xc30 ? __pfx_nft_target_init+0x10/0x10 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? rcu_is_watching+0x15/0xb0 ? nf_tables_newrule+0x1609/0x2980 ? nf_tables_newrule+0x1609/0x2980 ? __kmalloc_noprof+0x21a/0x400 nf_tables_newrule+0x1860/0x2980 ? __pfx_nf_tables_newrule+0x10/0x10 ? __nla_parse+0x40/0x60 nfnetlink_rcv+0x14e5/0x2ab0 ? __pfx_validate_chain+0x10/0x10 ? __pfx_nfnetlink_rcv+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? netlink_deliver_tap+0x2e/0x1b0 ? __pfx_lock_release+0x10/0x10 ? netlink_deliver_tap+0x2e/0x1b0 netlink_unicast+0x7f8/0x990 ? __pfx_netlink_unicast+0x10/0x10 ? __virt_addr_valid+0x183/0x530 ? __check_object_size+0x48e/0x900 netlink_sendmsg+0x8e4/0xcb0 ? __pfx_netlink_sendmsg+0x10/0x10 ? aa_sock_msg_perm+0x91/0x160 ? __pfx_netlink_sendmsg+0x10/0x10 __sock_sendmsg+0x223/0x270 ____sys_sendmsg+0x52a/0x7e0 ? __pfx_____sys_sendmsg+0x10/0x10 __sys_sendmsg+0x292/0x380 ? __pfx___sys_sendmsg+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? exc_page_fault+0x590/0x8c0 ? do_syscall_64+0xb6/0x230 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> Since an invalid (without '\0' byte at all) byte sequence may be passed from userspace, add an extra check to ensure that such a sequence is rejected as possible ID and so never passed to 'kstrdup()' and further.
AI-Powered Analysis
Technical Analysis
CVE-2024-56650 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the x_tables module that handles packet filtering rules. The issue arises from improper validation in the led_tg_check() function, which is responsible for checking LED trigger IDs. The vulnerability was discovered through a Kernel Address Sanitizer (KASAN) report indicating a slab-out-of-bounds read in the strlen function, triggered by an invalid byte sequence passed from userspace. This invalid sequence lacks a terminating null byte ('\0'), which leads to an out-of-bounds read when the kernel attempts to duplicate the string using kstrdup(). The root cause is the absence of a proper check to reject such malformed sequences before they reach kstrdup(), potentially causing memory corruption or kernel crashes. The call trace shows the vulnerability is triggered during netfilter rule processing, particularly when new rules are added or modified via netlink messages. This vulnerability affects Linux kernel versions identified by the commit hash 268cb38e1802db560c73167e643f14a3dcb4b07c and likely other versions containing the same code. Although no known exploits are reported in the wild yet, the flaw could be exploited by a local attacker or a process with the ability to send netlink messages to the kernel, potentially leading to denial of service (kernel panic) or other undefined behavior due to memory corruption. The fix involves adding an extra validation step to ensure that any byte sequence without a terminating null byte is rejected early, preventing unsafe operations on malformed input. This vulnerability highlights the risks associated with kernel subsystems that parse user-supplied data without sufficient validation, especially in critical networking components like netfilter.
Potential Impact
For European organizations, the impact of CVE-2024-56650 can be significant, particularly for those relying on Linux-based infrastructure for networking, firewalls, or security appliances. The netfilter subsystem is widely used in Linux distributions common in enterprise environments, cloud services, and telecommunications equipment. Exploitation could lead to kernel crashes, causing denial of service on critical servers or network devices, disrupting business operations and potentially affecting availability of services. In multi-tenant cloud environments or shared hosting providers, a compromised or misbehaving container or virtual machine could exploit this vulnerability to impact the host kernel's stability. Although the vulnerability does not currently have known remote exploit vectors, any local user or compromised process with netlink access could trigger it, making it a concern for systems with multiple users or exposed management interfaces. The memory corruption risk, while not explicitly confirmed to allow privilege escalation, could be leveraged in complex attack chains. European organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Linux-based firewalls and network security devices, may face increased risk of service disruption or targeted attacks exploiting this flaw. The lack of a CVSS score and known exploits suggests the threat is emerging but should be addressed promptly to maintain system integrity and availability.
Mitigation Recommendations
To mitigate CVE-2024-56650, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for this vulnerability as soon as they become available from their Linux distribution vendors. 2) Restrict access to netlink interfaces to trusted users and processes only, minimizing the attack surface by enforcing strict permissions and using security modules like SELinux or AppArmor to limit netlink message capabilities. 3) Monitor kernel logs and system behavior for signs of crashes or anomalies related to netfilter rule changes or netlink communications. 4) Employ kernel hardening techniques such as enabling KASAN or other runtime memory safety tools in testing environments to detect similar issues proactively. 5) For critical network infrastructure, consider implementing additional network segmentation and redundancy to reduce the impact of potential denial-of-service conditions. 6) Review and audit firewall and netfilter rule management processes to ensure that only validated and authorized changes are applied, preventing injection of malformed rules that could trigger the vulnerability. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patch releases and exploit developments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.840Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde46a
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:40:19 AM
Last updated: 8/18/2025, 11:23:08 PM
Views: 14
Related Threats
CVE-2025-8567: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in posimyththemes Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
MediumCVE-2025-41689: CWE-306 Missing Authentication for Critical Function in Wiesemann & Theis Motherbox 3
MediumCVE-2025-41685: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in SMA ennexos.sunnyportal.com
MediumCVE-2025-8723: CWE-94 Improper Control of Generation of Code ('Code Injection') in mecanik Cloudflare Image Resizing – Optimize & Accelerate Your Images
CriticalCVE-2025-8622: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webaware Flexible Map
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.