CVE-2024-56661: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL deref in cleanup_bearer() syzbot found [1] that after blamed commit, ub->ubsock->sk was NULL when attempting the atomic_dec() : atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); Fix this by caching the tipc_net pointer. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events cleanup_bearer RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820 Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206 RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900 RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20 R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980 R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
AI Analysis
Technical Summary
CVE-2024-56661 is a vulnerability identified in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically within the cleanup_bearer() function of the udp_media.c source file. The flaw arises due to a NULL pointer dereference when the kernel attempts to decrement an atomic counter on a network namespace pointer (tipc_net) associated with a socket. The root cause is that after a certain commit, the pointer ub->ubsock->sk can be NULL, leading to an invalid memory access during atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count). This results in a general protection fault and kernel crash, as evidenced by the kernel oops message and KASAN (Kernel Address Sanitizer) null pointer dereference report. The vulnerability is triggered during the cleanup of a bearer in the TIPC UDP media layer, which is part of the Linux kernel's networking stack used for cluster communication and high-availability systems. The issue was discovered by syzbot, an automated kernel fuzzing tool, and fixed by caching the tipc_net pointer to avoid dereferencing a NULL socket pointer. The affected Linux kernel versions include several recent commits prior to the fix, indicating that this vulnerability impacts actively maintained and deployed kernel versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with TIPC enabled, which are often found in telecommunications infrastructure, clustered computing environments, and certain industrial control systems. Exploitation leads to a kernel crash (denial of service) due to a NULL pointer dereference, potentially causing system downtime or disruption of critical services. While this vulnerability does not directly allow privilege escalation or remote code execution, the resulting denial of service could impact availability of critical networked applications, especially in sectors like telecom, finance, and manufacturing that rely on Linux-based high-availability clusters. Additionally, kernel crashes can lead to system instability and potential data loss if not properly managed. Given the widespread use of Linux in European data centers, cloud providers, and embedded systems, the vulnerability could affect a broad range of infrastructure if unpatched. However, exploitation requires triggering the cleanup_bearer() function path, which may limit the attack surface to specific configurations and workloads using TIPC over UDP.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest stable release that includes the patch fixing this NULL pointer dereference in the TIPC subsystem. Specifically, kernel versions incorporating the fix that caches the tipc_net pointer should be deployed. System administrators should audit their environments to identify systems running affected kernel versions with TIPC enabled, especially in telecom and clustered environments. If immediate patching is not feasible, consider disabling the TIPC UDP media bearer or the TIPC subsystem if it is not required for operational purposes, to reduce exposure. Monitoring kernel logs for OOPS or KASAN reports related to tipc_net or cleanup_bearer can help detect attempted exploitation or crashes. Additionally, implement robust system recovery and failover procedures to minimize downtime in case of kernel crashes. Network segmentation and access controls limiting exposure of TIPC-enabled systems to untrusted networks can further reduce risk. Finally, maintain close coordination with Linux kernel security advisories and apply patches promptly upon release.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-56661: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL deref in cleanup_bearer() syzbot found [1] that after blamed commit, ub->ubsock->sk was NULL when attempting the atomic_dec() : atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); Fix this by caching the tipc_net pointer. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events cleanup_bearer RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820 Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206 RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900 RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20 R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980 R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
AI-Powered Analysis
Technical Analysis
CVE-2024-56661 is a vulnerability identified in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically within the cleanup_bearer() function of the udp_media.c source file. The flaw arises due to a NULL pointer dereference when the kernel attempts to decrement an atomic counter on a network namespace pointer (tipc_net) associated with a socket. The root cause is that after a certain commit, the pointer ub->ubsock->sk can be NULL, leading to an invalid memory access during atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count). This results in a general protection fault and kernel crash, as evidenced by the kernel oops message and KASAN (Kernel Address Sanitizer) null pointer dereference report. The vulnerability is triggered during the cleanup of a bearer in the TIPC UDP media layer, which is part of the Linux kernel's networking stack used for cluster communication and high-availability systems. The issue was discovered by syzbot, an automated kernel fuzzing tool, and fixed by caching the tipc_net pointer to avoid dereferencing a NULL socket pointer. The affected Linux kernel versions include several recent commits prior to the fix, indicating that this vulnerability impacts actively maintained and deployed kernel versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with TIPC enabled, which are often found in telecommunications infrastructure, clustered computing environments, and certain industrial control systems. Exploitation leads to a kernel crash (denial of service) due to a NULL pointer dereference, potentially causing system downtime or disruption of critical services. While this vulnerability does not directly allow privilege escalation or remote code execution, the resulting denial of service could impact availability of critical networked applications, especially in sectors like telecom, finance, and manufacturing that rely on Linux-based high-availability clusters. Additionally, kernel crashes can lead to system instability and potential data loss if not properly managed. Given the widespread use of Linux in European data centers, cloud providers, and embedded systems, the vulnerability could affect a broad range of infrastructure if unpatched. However, exploitation requires triggering the cleanup_bearer() function path, which may limit the attack surface to specific configurations and workloads using TIPC over UDP.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest stable release that includes the patch fixing this NULL pointer dereference in the TIPC subsystem. Specifically, kernel versions incorporating the fix that caches the tipc_net pointer should be deployed. System administrators should audit their environments to identify systems running affected kernel versions with TIPC enabled, especially in telecom and clustered environments. If immediate patching is not feasible, consider disabling the TIPC UDP media bearer or the TIPC subsystem if it is not required for operational purposes, to reduce exposure. Monitoring kernel logs for OOPS or KASAN reports related to tipc_net or cleanup_bearer can help detect attempted exploitation or crashes. Additionally, implement robust system recovery and failover procedures to minimize downtime in case of kernel crashes. Network segmentation and access controls limiting exposure of TIPC-enabled systems to untrusted networks can further reduce risk. Finally, maintain close coordination with Linux kernel security advisories and apply patches promptly upon release.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.843Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde4a1
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:41:14 AM
Last updated: 8/16/2025, 11:43:17 AM
Views: 16
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.