CVE-2024-57900: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
AI Analysis
Technical Summary
CVE-2024-57900 is a high-severity vulnerability identified in the Linux kernel, specifically related to the In-situ Locator Address (ILA) subsystem within the IPv6 networking stack. The root cause of this vulnerability is a race condition in the function ila_add_mapping(), which leads to a use-after-free (UAF) condition in the kernel's rhashtable (resizable hash table) implementation. The race occurs due to concurrent execution of ILA_CMD_ADD commands without proper serialization, causing multiple threads to call nf_register_net_hooks() simultaneously. This concurrency issue was partially addressed in a prior commit (031ae72825ce) that attempted to unregister hooks sooner, but the problem persisted. The fix involves adding a mutex to ensure that only one thread can call nf_register_net_hooks() at a time, preventing the race condition. The vulnerability manifests as a slab-use-after-free detected by Kernel Address Sanitizer (KASAN), with memory corruption occurring in rht_key_hashfn and rhashtable lookup functions. This can lead to kernel crashes, memory corruption, and potentially arbitrary code execution within the kernel context. The vulnerability requires local privileges (PR:L) but no user interaction (UI:N), and the attack vector is local (AV:L), meaning an attacker must have some level of access to the system to exploit it. The impact on confidentiality, integrity, and availability is high, as successful exploitation could allow privilege escalation or denial of service. This vulnerability affects Linux kernel versions prior to the patch and is relevant for systems running kernels around version 6.13.0-rc4 and similar. The vulnerability is categorized under CWE-416 (Use After Free). Although no known exploits are currently reported in the wild, the high CVSS score (7.8) and the nature of the bug indicate a significant risk if exploited.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and network appliances. Given the local attack vector, the threat is most critical in environments where untrusted users or processes have local access, such as multi-tenant cloud platforms, shared hosting providers, and enterprise internal networks. Exploitation could lead to privilege escalation, allowing attackers to gain root-level access, compromise system integrity, and disrupt availability through kernel crashes or denial of service. The impact extends to critical sectors such as finance, healthcare, telecommunications, and government, where Linux systems are prevalent. Additionally, organizations using Linux in edge computing or IoT devices may face increased exposure due to potentially weaker local access controls. The vulnerability could also be leveraged as a stepping stone for lateral movement within networks, increasing the overall risk posture of affected organizations.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that introduces mutex serialization around nf_register_net_hooks() to prevent concurrent calls and eliminate the race condition. 2. For organizations unable to patch immediately, implement strict local access controls and monitoring to limit untrusted user or process access to vulnerable systems. 3. Employ kernel runtime security tools that can detect anomalous behavior indicative of use-after-free exploitation attempts. 4. Regularly update and audit Linux kernel versions across all systems to ensure timely application of security patches. 5. In cloud environments, enforce strict tenant isolation and minimize the attack surface by disabling unnecessary kernel modules related to ILA if not in use. 6. Conduct thorough testing in staging environments before deploying kernel updates to avoid operational disruptions. 7. Monitor security advisories and threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-57900: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
AI-Powered Analysis
Technical Analysis
CVE-2024-57900 is a high-severity vulnerability identified in the Linux kernel, specifically related to the In-situ Locator Address (ILA) subsystem within the IPv6 networking stack. The root cause of this vulnerability is a race condition in the function ila_add_mapping(), which leads to a use-after-free (UAF) condition in the kernel's rhashtable (resizable hash table) implementation. The race occurs due to concurrent execution of ILA_CMD_ADD commands without proper serialization, causing multiple threads to call nf_register_net_hooks() simultaneously. This concurrency issue was partially addressed in a prior commit (031ae72825ce) that attempted to unregister hooks sooner, but the problem persisted. The fix involves adding a mutex to ensure that only one thread can call nf_register_net_hooks() at a time, preventing the race condition. The vulnerability manifests as a slab-use-after-free detected by Kernel Address Sanitizer (KASAN), with memory corruption occurring in rht_key_hashfn and rhashtable lookup functions. This can lead to kernel crashes, memory corruption, and potentially arbitrary code execution within the kernel context. The vulnerability requires local privileges (PR:L) but no user interaction (UI:N), and the attack vector is local (AV:L), meaning an attacker must have some level of access to the system to exploit it. The impact on confidentiality, integrity, and availability is high, as successful exploitation could allow privilege escalation or denial of service. This vulnerability affects Linux kernel versions prior to the patch and is relevant for systems running kernels around version 6.13.0-rc4 and similar. The vulnerability is categorized under CWE-416 (Use After Free). Although no known exploits are currently reported in the wild, the high CVSS score (7.8) and the nature of the bug indicate a significant risk if exploited.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and network appliances. Given the local attack vector, the threat is most critical in environments where untrusted users or processes have local access, such as multi-tenant cloud platforms, shared hosting providers, and enterprise internal networks. Exploitation could lead to privilege escalation, allowing attackers to gain root-level access, compromise system integrity, and disrupt availability through kernel crashes or denial of service. The impact extends to critical sectors such as finance, healthcare, telecommunications, and government, where Linux systems are prevalent. Additionally, organizations using Linux in edge computing or IoT devices may face increased exposure due to potentially weaker local access controls. The vulnerability could also be leveraged as a stepping stone for lateral movement within networks, increasing the overall risk posture of affected organizations.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that introduces mutex serialization around nf_register_net_hooks() to prevent concurrent calls and eliminate the race condition. 2. For organizations unable to patch immediately, implement strict local access controls and monitoring to limit untrusted user or process access to vulnerable systems. 3. Employ kernel runtime security tools that can detect anomalous behavior indicative of use-after-free exploitation attempts. 4. Regularly update and audit Linux kernel versions across all systems to ensure timely application of security patches. 5. In cloud environments, enforce strict tenant isolation and minimize the attack surface by disabling unnecessary kernel modules related to ILA if not in use. 6. Conduct thorough testing in staging environments before deploying kernel updates to avoid operational disruptions. 7. Monitor security advisories and threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:45:42.030Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde9e9
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 10:28:42 PM
Last updated: 8/18/2025, 3:30:23 PM
Views: 17
Related Threats
CVE-2025-8193
LowCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.