CVE-2024-56665: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Syzbot reported [1] crash that happens for following tracing scenario: - create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it - attached process forks -> chid creates inherited event the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint - exit both process and its child -> release both events - first perf_event_detach_bpf_prog call will release tp_event->prog_array and second perf_event_detach_bpf_prog will crash, because tp_event->prog_array is NULL The fix makes sure the perf_event_detach_bpf_prog checks prog_array is valid before it tries to remove the bpf program from it. [1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad
AI Analysis
Technical Summary
CVE-2024-56665 is a vulnerability identified in the Linux kernel's BPF (Berkeley Packet Filter) and perf subsystem, specifically related to the handling of prog_array access during the detachment of BPF programs from perf events. The issue arises in a tracing scenario where a tracepoint perf event is created with the inherit attribute set to 1, and a BPF program is attached to it. When the attached process forks, the child process inherits the perf event, sharing the parent's BPF program and the global tracepoint event's prog_array. Upon exiting both the parent and child processes, the perf_event_detach_bpf_prog function is called twice to release the BPF programs. The first call releases the prog_array, but the second call attempts to access the now NULL prog_array, leading to a crash. This is essentially a use-after-free or null pointer dereference vulnerability caused by improper reference counting or validation of the prog_array pointer during cleanup. The fix implemented ensures that perf_event_detach_bpf_prog checks the validity of prog_array before attempting to remove the BPF program, preventing the crash. Although no known exploits are reported in the wild, this vulnerability could be triggered by local users or processes that have the ability to create and manage perf events with BPF programs, potentially leading to denial of service via kernel crash. The vulnerability affects multiple Linux kernel versions identified by their commit hashes, indicating a range of affected kernel builds. This issue is primarily a stability and availability concern rather than a direct confidentiality or integrity compromise, but kernel crashes can lead to system downtime and potential disruption of services relying on Linux systems.
Potential Impact
For European organizations, the impact of CVE-2024-56665 centers on system stability and availability. Organizations running Linux-based infrastructure, especially those utilizing perf and BPF for performance monitoring, tracing, or security observability, may experience unexpected kernel crashes if the vulnerability is triggered. This can lead to denial of service conditions affecting critical servers, cloud environments, or embedded systems. Industries with high reliance on Linux servers, such as telecommunications, finance, manufacturing, and public sector entities, could face operational disruptions. Additionally, environments that allow unprivileged users or containerized workloads to interact with perf events may be at higher risk. Although no direct data breach or privilege escalation is indicated, repeated crashes could degrade service reliability and increase operational costs due to downtime and recovery efforts. The vulnerability also poses a risk in multi-tenant or shared hosting environments common in Europe, where one tenant’s workload could inadvertently or maliciously cause kernel crashes affecting others.
Mitigation Recommendations
To mitigate CVE-2024-56665, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for this vulnerability as soon as they become available from their Linux distribution vendors or upstream kernel sources. 2) Restrict access to perf and BPF-related interfaces to trusted users only, minimizing the attack surface by limiting who can create tracepoint perf events with inherit=1 and attach BPF programs. 3) Implement strict container runtime security policies that prevent unprivileged containers from accessing perf_event_open syscall or BPF functionality unless explicitly required. 4) Monitor kernel logs and system stability metrics for signs of perf_event_detach_bpf_prog related crashes or anomalies. 5) Use kernel lockdown or security modules (e.g., SELinux, AppArmor) to enforce least privilege on kernel tracing features. 6) For critical production systems, consider temporarily disabling perf event inheritance or BPF attachment to tracepoints if patching is delayed, balancing operational needs with security. 7) Engage with Linux distribution security advisories and maintain an up-to-date inventory of kernel versions deployed across infrastructure to prioritize patching efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-56665: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Syzbot reported [1] crash that happens for following tracing scenario: - create tracepoint perf event with attr.inherit=1, attach it to the process and set bpf program to it - attached process forks -> chid creates inherited event the new child event shares the parent's bpf program and tp_event (hence prog_array) which is global for tracepoint - exit both process and its child -> release both events - first perf_event_detach_bpf_prog call will release tp_event->prog_array and second perf_event_detach_bpf_prog will crash, because tp_event->prog_array is NULL The fix makes sure the perf_event_detach_bpf_prog checks prog_array is valid before it tries to remove the bpf program from it. [1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad
AI-Powered Analysis
Technical Analysis
CVE-2024-56665 is a vulnerability identified in the Linux kernel's BPF (Berkeley Packet Filter) and perf subsystem, specifically related to the handling of prog_array access during the detachment of BPF programs from perf events. The issue arises in a tracing scenario where a tracepoint perf event is created with the inherit attribute set to 1, and a BPF program is attached to it. When the attached process forks, the child process inherits the perf event, sharing the parent's BPF program and the global tracepoint event's prog_array. Upon exiting both the parent and child processes, the perf_event_detach_bpf_prog function is called twice to release the BPF programs. The first call releases the prog_array, but the second call attempts to access the now NULL prog_array, leading to a crash. This is essentially a use-after-free or null pointer dereference vulnerability caused by improper reference counting or validation of the prog_array pointer during cleanup. The fix implemented ensures that perf_event_detach_bpf_prog checks the validity of prog_array before attempting to remove the BPF program, preventing the crash. Although no known exploits are reported in the wild, this vulnerability could be triggered by local users or processes that have the ability to create and manage perf events with BPF programs, potentially leading to denial of service via kernel crash. The vulnerability affects multiple Linux kernel versions identified by their commit hashes, indicating a range of affected kernel builds. This issue is primarily a stability and availability concern rather than a direct confidentiality or integrity compromise, but kernel crashes can lead to system downtime and potential disruption of services relying on Linux systems.
Potential Impact
For European organizations, the impact of CVE-2024-56665 centers on system stability and availability. Organizations running Linux-based infrastructure, especially those utilizing perf and BPF for performance monitoring, tracing, or security observability, may experience unexpected kernel crashes if the vulnerability is triggered. This can lead to denial of service conditions affecting critical servers, cloud environments, or embedded systems. Industries with high reliance on Linux servers, such as telecommunications, finance, manufacturing, and public sector entities, could face operational disruptions. Additionally, environments that allow unprivileged users or containerized workloads to interact with perf events may be at higher risk. Although no direct data breach or privilege escalation is indicated, repeated crashes could degrade service reliability and increase operational costs due to downtime and recovery efforts. The vulnerability also poses a risk in multi-tenant or shared hosting environments common in Europe, where one tenant’s workload could inadvertently or maliciously cause kernel crashes affecting others.
Mitigation Recommendations
To mitigate CVE-2024-56665, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for this vulnerability as soon as they become available from their Linux distribution vendors or upstream kernel sources. 2) Restrict access to perf and BPF-related interfaces to trusted users only, minimizing the attack surface by limiting who can create tracepoint perf events with inherit=1 and attach BPF programs. 3) Implement strict container runtime security policies that prevent unprivileged containers from accessing perf_event_open syscall or BPF functionality unless explicitly required. 4) Monitor kernel logs and system stability metrics for signs of perf_event_detach_bpf_prog related crashes or anomalies. 5) Use kernel lockdown or security modules (e.g., SELinux, AppArmor) to enforce least privilege on kernel tracing features. 6) For critical production systems, consider temporarily disabling perf event inheritance or BPF attachment to tracepoints if patching is delayed, balancing operational needs with security. 7) Engage with Linux distribution security advisories and maintain an up-to-date inventory of kernel versions deployed across infrastructure to prioritize patching efforts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.844Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd14c
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:41:37 PM
Last updated: 8/13/2025, 12:34:15 PM
Views: 14
Related Threats
CVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-8940: Buffer Overflow in Tenda AC20
HighCVE-2025-8939: Buffer Overflow in Tenda AC20
HighCVE-2025-50518: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.