CVE-2024-57882: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK> Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if ---truncated---
AI Analysis
Technical Summary
CVE-2024-57882 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to the handling of TCP options. The flaw arises from a buggy computation of the length of MPTCP options, particularly the ADD_ADDR option, which should be mutually exclusive with the DSS (Data Sequence Signal) option. However, due to incorrect logic in the function mptcp_established_options_add_addr(), the kernel attempts to set conflicting options simultaneously. This leads to corruption of internal kernel data structures, such as the shinfo->nr_frags field, which tracks the number of fragments in a socket buffer. The corruption manifests as a general protection fault (GPF) or kernel panic, as evidenced by the detailed kernel oops trace provided. The crash occurs during TCP packet processing, specifically in the skb_release_data and tcp_ack functions, indicating that the vulnerability can be triggered by crafted TCP packets exploiting the MPTCP option overflow. The vulnerability was reported by Syzbot, a kernel fuzzing infrastructure, and affects Linux kernel versions including 6.13.0-rc3 and likely others in the 6.x series. The root cause is a logic error in option length calculation and enforcement of mutually exclusive TCP options in MPTCP, which can lead to memory corruption and denial of service (DoS) via kernel crashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and infrastructure running Linux kernels with MPTCP enabled or in use. MPTCP is increasingly used in environments requiring network redundancy and performance improvements, such as data centers, cloud services, and enterprise networks. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical services such as SSH (noted in the crash trace), web servers, and other network-facing applications. While direct remote code execution is not indicated, the ability to cause kernel panics remotely can disrupt operations and potentially be leveraged as part of a larger attack chain. Organizations relying on Linux-based cloud infrastructure, especially those using Google Compute Engine or similar platforms where MPTCP might be enabled, are at risk. The vulnerability could also affect embedded Linux devices and network appliances used in European critical infrastructure. Given the kernel-level nature, recovery requires system reboots and patching, which may cause operational downtime. Confidentiality and integrity impacts appear limited, but availability impact is high due to potential service interruptions.
Mitigation Recommendations
1. Immediate application of Linux kernel patches that address the MPTCP TCP options overflow vulnerability once they are released by the Linux kernel maintainers. Monitor official Linux kernel mailing lists and vendor advisories for patch availability. 2. Temporarily disable MPTCP support in the Linux kernel if it is not essential for operations, by disabling the CONFIG_MPTCP kernel configuration or unloading related kernel modules. 3. Employ network-level filtering to block or scrutinize suspicious TCP packets containing malformed or unusual MPTCP options, using advanced firewall rules or intrusion prevention systems capable of deep packet inspection. 4. Conduct thorough testing of updated kernels in staging environments to ensure stability and compatibility before deployment in production. 5. Enhance monitoring and alerting on kernel oops, crashes, and unusual TCP traffic patterns to detect potential exploitation attempts early. 6. Coordinate with cloud service providers to verify if their Linux kernel versions are affected and request timely patching or mitigations. 7. Maintain robust backup and recovery procedures to minimize downtime impact in case of successful exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Poland, Italy, Spain
CVE-2024-57882: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK> Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-57882 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to the handling of TCP options. The flaw arises from a buggy computation of the length of MPTCP options, particularly the ADD_ADDR option, which should be mutually exclusive with the DSS (Data Sequence Signal) option. However, due to incorrect logic in the function mptcp_established_options_add_addr(), the kernel attempts to set conflicting options simultaneously. This leads to corruption of internal kernel data structures, such as the shinfo->nr_frags field, which tracks the number of fragments in a socket buffer. The corruption manifests as a general protection fault (GPF) or kernel panic, as evidenced by the detailed kernel oops trace provided. The crash occurs during TCP packet processing, specifically in the skb_release_data and tcp_ack functions, indicating that the vulnerability can be triggered by crafted TCP packets exploiting the MPTCP option overflow. The vulnerability was reported by Syzbot, a kernel fuzzing infrastructure, and affects Linux kernel versions including 6.13.0-rc3 and likely others in the 6.x series. The root cause is a logic error in option length calculation and enforcement of mutually exclusive TCP options in MPTCP, which can lead to memory corruption and denial of service (DoS) via kernel crashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and infrastructure running Linux kernels with MPTCP enabled or in use. MPTCP is increasingly used in environments requiring network redundancy and performance improvements, such as data centers, cloud services, and enterprise networks. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical services such as SSH (noted in the crash trace), web servers, and other network-facing applications. While direct remote code execution is not indicated, the ability to cause kernel panics remotely can disrupt operations and potentially be leveraged as part of a larger attack chain. Organizations relying on Linux-based cloud infrastructure, especially those using Google Compute Engine or similar platforms where MPTCP might be enabled, are at risk. The vulnerability could also affect embedded Linux devices and network appliances used in European critical infrastructure. Given the kernel-level nature, recovery requires system reboots and patching, which may cause operational downtime. Confidentiality and integrity impacts appear limited, but availability impact is high due to potential service interruptions.
Mitigation Recommendations
1. Immediate application of Linux kernel patches that address the MPTCP TCP options overflow vulnerability once they are released by the Linux kernel maintainers. Monitor official Linux kernel mailing lists and vendor advisories for patch availability. 2. Temporarily disable MPTCP support in the Linux kernel if it is not essential for operations, by disabling the CONFIG_MPTCP kernel configuration or unloading related kernel modules. 3. Employ network-level filtering to block or scrutinize suspicious TCP packets containing malformed or unusual MPTCP options, using advanced firewall rules or intrusion prevention systems capable of deep packet inspection. 4. Conduct thorough testing of updated kernels in staging environments to ensure stability and compatibility before deployment in production. 5. Enhance monitoring and alerting on kernel oops, crashes, and unusual TCP traffic patterns to detect potential exploitation attempts early. 6. Coordinate with cloud service providers to verify if their Linux kernel versions are affected and request timely patching or mitigations. 7. Maintain robust backup and recovery procedures to minimize downtime impact in case of successful exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:45:42.023Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde95f
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 8:39:40 AM
Last updated: 8/1/2025, 8:40:46 AM
Views: 12
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.