CVE-2024-57903: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: restrict SO_REUSEPORT to inet sockets After blamed commit, crypto sockets could accidentally be destroyed from RCU call back, as spotted by zyzbot [1]. Trying to acquire a mutex in RCU callback is not allowed. Restrict SO_REUSEPORT socket option to inet sockets. v1 of this patch supported TCP, UDP and SCTP sockets, but fcnal-test.sh test needed RAW and ICMP support. [1] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1 preempt_count: 100, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by ksoftirqd/1/24: #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823 Preemption disabled at: [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline] [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537 CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 __might_resched+0x5d4/0x780 kernel/sched/core.c:8758 __mutex_lock_common kernel/locking/mutex.c:562 [inline] __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735 crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179 aead_release+0x3d/0x50 crypto/algif_aead.c:489 alg_do_release crypto/af_alg.c:118 [inline] alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502 __sk_destruct+0x58/0x5f0 net/core/sock.c:2260 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 run_ksoftirqd+0xca/0x130 kernel/softirq.c:950 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
AI Analysis
Technical Summary
CVE-2024-57903 is a vulnerability identified in the Linux kernel related to the handling of the SO_REUSEPORT socket option. The issue arises because the kernel did not properly restrict the SO_REUSEPORT option to only inet sockets (TCP, UDP, SCTP), which led to unintended behavior when applied to crypto sockets. Specifically, after a certain commit, crypto sockets could be destroyed improperly from an RCU (Read-Copy-Update) callback context. This is problematic because acquiring a mutex within an RCU callback is forbidden and leads to kernel instability. The vulnerability manifests as a BUG triggered by a sleeping function being called from an invalid context, causing kernel locking issues and potential crashes. The detailed kernel stack trace shows that the problem occurs during the destruction of crypto sockets, where mutex locks are attempted in an RCU callback, violating kernel synchronization rules. The patch restricts SO_REUSEPORT usage to inet sockets only, preventing the misuse on crypto sockets and thus avoiding the problematic mutex acquisition in RCU callbacks. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are reported in the wild yet, and no CVSS score has been assigned. However, the technical details indicate a kernel-level flaw that can cause system instability or crashes due to improper locking and context violations in kernel code.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing crypto sockets or relying on advanced networking features involving SO_REUSEPORT. The impact includes potential kernel panics or system crashes, leading to denial of service (DoS) conditions. This can disrupt critical infrastructure, cloud services, and enterprise environments that depend on Linux servers for networking and cryptographic operations. Given the Linux kernel's widespread use across European data centers, cloud providers, and embedded systems, the vulnerability could affect a broad range of sectors including finance, telecommunications, government, and industrial control systems. Although no direct remote code execution or privilege escalation is indicated, the instability caused by this flaw can be exploited by attackers to degrade service availability or cause operational disruptions. The lack of known exploits suggests limited immediate threat, but the severity of kernel crashes warrants prompt attention to avoid potential exploitation or accidental system failures.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch restricting SO_REUSEPORT to inet sockets, thereby preventing the misuse on crypto sockets. Kernel updates should be applied promptly, especially on systems handling cryptographic workloads or exposed to untrusted network traffic. System administrators should audit their environments to identify vulnerable kernel versions using the provided commit hashes and verify if the patch is present. For environments where immediate kernel updates are not feasible, consider isolating or limiting the use of crypto sockets and SO_REUSEPORT socket options to trusted applications only. Monitoring kernel logs for BUG messages related to mutex locking or RCU callbacks can help detect attempts to trigger the vulnerability. Additionally, testing critical systems under controlled conditions after patching is recommended to ensure stability. Organizations should also maintain robust backup and recovery procedures to mitigate potential downtime caused by kernel crashes. Collaboration with Linux distribution vendors to receive timely security updates is essential for ongoing protection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-57903: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: restrict SO_REUSEPORT to inet sockets After blamed commit, crypto sockets could accidentally be destroyed from RCU call back, as spotted by zyzbot [1]. Trying to acquire a mutex in RCU callback is not allowed. Restrict SO_REUSEPORT socket option to inet sockets. v1 of this patch supported TCP, UDP and SCTP sockets, but fcnal-test.sh test needed RAW and ICMP support. [1] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1 preempt_count: 100, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by ksoftirqd/1/24: #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline] #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823 Preemption disabled at: [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline] [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537 CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 __might_resched+0x5d4/0x780 kernel/sched/core.c:8758 __mutex_lock_common kernel/locking/mutex.c:562 [inline] __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735 crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179 aead_release+0x3d/0x50 crypto/algif_aead.c:489 alg_do_release crypto/af_alg.c:118 [inline] alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502 __sk_destruct+0x58/0x5f0 net/core/sock.c:2260 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 run_ksoftirqd+0xca/0x130 kernel/softirq.c:950 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-57903 is a vulnerability identified in the Linux kernel related to the handling of the SO_REUSEPORT socket option. The issue arises because the kernel did not properly restrict the SO_REUSEPORT option to only inet sockets (TCP, UDP, SCTP), which led to unintended behavior when applied to crypto sockets. Specifically, after a certain commit, crypto sockets could be destroyed improperly from an RCU (Read-Copy-Update) callback context. This is problematic because acquiring a mutex within an RCU callback is forbidden and leads to kernel instability. The vulnerability manifests as a BUG triggered by a sleeping function being called from an invalid context, causing kernel locking issues and potential crashes. The detailed kernel stack trace shows that the problem occurs during the destruction of crypto sockets, where mutex locks are attempted in an RCU callback, violating kernel synchronization rules. The patch restricts SO_REUSEPORT usage to inet sockets only, preventing the misuse on crypto sockets and thus avoiding the problematic mutex acquisition in RCU callbacks. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are reported in the wild yet, and no CVSS score has been assigned. However, the technical details indicate a kernel-level flaw that can cause system instability or crashes due to improper locking and context violations in kernel code.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing crypto sockets or relying on advanced networking features involving SO_REUSEPORT. The impact includes potential kernel panics or system crashes, leading to denial of service (DoS) conditions. This can disrupt critical infrastructure, cloud services, and enterprise environments that depend on Linux servers for networking and cryptographic operations. Given the Linux kernel's widespread use across European data centers, cloud providers, and embedded systems, the vulnerability could affect a broad range of sectors including finance, telecommunications, government, and industrial control systems. Although no direct remote code execution or privilege escalation is indicated, the instability caused by this flaw can be exploited by attackers to degrade service availability or cause operational disruptions. The lack of known exploits suggests limited immediate threat, but the severity of kernel crashes warrants prompt attention to avoid potential exploitation or accidental system failures.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch restricting SO_REUSEPORT to inet sockets, thereby preventing the misuse on crypto sockets. Kernel updates should be applied promptly, especially on systems handling cryptographic workloads or exposed to untrusted network traffic. System administrators should audit their environments to identify vulnerable kernel versions using the provided commit hashes and verify if the patch is present. For environments where immediate kernel updates are not feasible, consider isolating or limiting the use of crypto sockets and SO_REUSEPORT socket options to trusted applications only. Monitoring kernel logs for BUG messages related to mutex locking or RCU callbacks can help detect attempts to trigger the vulnerability. Additionally, testing critical systems under controlled conditions after patching is recommended to ensure stability. Organizations should also maintain robust backup and recovery procedures to mitigate potential downtime caused by kernel crashes. Collaboration with Linux distribution vendors to receive timely security updates is essential for ongoing protection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:45:42.031Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd1e3
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:56:25 PM
Last updated: 8/4/2025, 6:58:06 AM
Views: 15
Related Threats
CVE-2025-9109: Observable Response Discrepancy in Portabilis i-Diario
MediumCVE-2025-9108: Improper Restriction of Rendered UI Layers in Portabilis i-Diario
MediumCVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9106: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.