CVE-2024-57974: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30fff9231fad ("udp: bind() optimisation") and, as a result, a rehash operation became needed to make a bound socket reachable again after a connect(). This operation was introduced by commit 719f835853a9 ("udp: add rehash on connect()") which isn't however a complete fix: the socket will be found once the rehashing completes, but not while it's pending. This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a client sending datagrams to it. After the server receives the first datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to the address of the sender, in order to set up a directed flow. Now, if the client, running on a different CPU thread, happens to send a (subsequent) datagram while the server's socket changes its address, but is not rehashed yet, this will result in a failed lookup and a port unreachable error delivered to the client, as apparent from the following reproducer: LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in while :; do taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.1 || sleep 1 taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null wait done where the client will eventually get ECONNREFUSED on a write() (typically the second or third one of a given iteration): 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused This issue was first observed as a seldom failure in Podman's tests checking UDP functionality while using pasta(1) to connect the container's network namespace, which leads us to a reproducer with the lookup error resulting in an ICMP packet on a tap device: LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')" while :; do ./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.2 || sleep 1 socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null wait cmp tmp.in tmp.out done Once this fails: tmp.in tmp.out differ: char 8193, line 29 we can finally have a look at what's going on: $ tshark -r pasta.pcap 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 On the third datagram received, the network namespace of the container initiates an ARP lookup to deliver the ICMP message. In another variant of this reproducer, starting the client with: strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru ---truncated---
AI Analysis
Technical Summary
CVE-2024-57974 is a vulnerability in the Linux kernel's UDP socket handling mechanism. The issue arises from a race condition between changing a UDP socket's local address via connect() and the subsequent rehashing process that updates internal hash tables used for socket lookup. Specifically, when a UDP socket changes its local address while receiving datagrams, there is a window during which lookup operations fail because the secondary hash (based on port and address) and the four-tuple hash (local and remote ports and addresses) have not yet been updated. This leads to the socket being temporarily unreachable. The vulnerability manifests as a failure to find the socket during this rehashing window, causing the kernel to respond with an ICMP 'port unreachable' message to the sender. This behavior was observed in scenarios involving socat UDP4-LISTEN servers and clients sending datagrams concurrently on different CPU threads. The issue was initially detected during Podman container network namespace tests, where UDP functionality was intermittently failing due to this race condition. The problem is rooted in the introduction of secondary hash chains and rehash operations in recent Linux kernel commits aimed at optimizing UDP bind() and connect() operations. However, the rehash on connect() is incomplete, as it does not prevent socket lookup failures during the rehashing process. The vulnerability does not appear to have known exploits in the wild yet, but it can cause intermittent UDP communication failures and ICMP port unreachable errors, which could disrupt applications relying on UDP socket connections, especially those using connect() to set up directed flows. No CVSS score has been assigned to this vulnerability as of the published date.
Potential Impact
For European organizations, the impact of CVE-2024-57974 primarily concerns the reliability and availability of UDP-based network services running on Linux systems. UDP is widely used for various applications including DNS, VoIP, streaming media, gaming, and containerized microservices communication. The race condition causing temporary socket unreachability can lead to intermittent communication failures, degraded service quality, or application errors. In containerized environments, common in European enterprises adopting cloud-native architectures, this vulnerability could cause sporadic network disruptions affecting container networking and orchestration tools like Podman. While the vulnerability does not directly lead to data breaches or privilege escalation, the resulting denial of UDP communication could impact critical infrastructure services, real-time communications, and operational continuity. Organizations relying on UDP for internal or external services may experience increased troubleshooting complexity and potential service-level agreement (SLA) violations. The lack of authentication or user interaction requirements means the issue can occur naturally under normal operational conditions, especially in multi-threaded or multi-CPU environments common in modern servers.
Mitigation Recommendations
To mitigate the effects of CVE-2024-57974, European organizations should: 1) Apply the latest Linux kernel patches that address this race condition as soon as they become available from trusted Linux distributions or upstream sources. 2) Monitor UDP-based services for signs of intermittent connectivity issues or ICMP port unreachable messages, especially in containerized or multi-threaded environments. 3) Where possible, avoid relying on connect() calls on UDP sockets in high-concurrency scenarios until patched, or implement application-level retries and error handling to gracefully recover from transient failures. 4) Consider isolating critical UDP services on dedicated CPU cores or network namespaces to reduce concurrency-induced race conditions. 5) Employ network monitoring tools capable of detecting abnormal ICMP traffic patterns that may indicate this issue. 6) For containerized deployments, ensure container runtimes and networking plugins are updated to versions that include fixes or workarounds for this vulnerability. 7) Engage with Linux vendor support channels to obtain backported patches if using long-term support kernels. These steps go beyond generic advice by focusing on operational practices and environment-specific configurations to reduce the likelihood and impact of the race condition.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2024-57974: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30fff9231fad ("udp: bind() optimisation") and, as a result, a rehash operation became needed to make a bound socket reachable again after a connect(). This operation was introduced by commit 719f835853a9 ("udp: add rehash on connect()") which isn't however a complete fix: the socket will be found once the rehashing completes, but not while it's pending. This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a client sending datagrams to it. After the server receives the first datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to the address of the sender, in order to set up a directed flow. Now, if the client, running on a different CPU thread, happens to send a (subsequent) datagram while the server's socket changes its address, but is not rehashed yet, this will result in a failed lookup and a port unreachable error delivered to the client, as apparent from the following reproducer: LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in while :; do taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.1 || sleep 1 taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null wait done where the client will eventually get ECONNREFUSED on a write() (typically the second or third one of a given iteration): 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused This issue was first observed as a seldom failure in Podman's tests checking UDP functionality while using pasta(1) to connect the container's network namespace, which leads us to a reproducer with the lookup error resulting in an ICMP packet on a tap device: LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')" while :; do ./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.2 || sleep 1 socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null wait cmp tmp.in tmp.out done Once this fails: tmp.in tmp.out differ: char 8193, line 29 we can finally have a look at what's going on: $ tshark -r pasta.pcap 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 On the third datagram received, the network namespace of the container initiates an ARP lookup to deliver the ICMP message. In another variant of this reproducer, starting the client with: strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-57974 is a vulnerability in the Linux kernel's UDP socket handling mechanism. The issue arises from a race condition between changing a UDP socket's local address via connect() and the subsequent rehashing process that updates internal hash tables used for socket lookup. Specifically, when a UDP socket changes its local address while receiving datagrams, there is a window during which lookup operations fail because the secondary hash (based on port and address) and the four-tuple hash (local and remote ports and addresses) have not yet been updated. This leads to the socket being temporarily unreachable. The vulnerability manifests as a failure to find the socket during this rehashing window, causing the kernel to respond with an ICMP 'port unreachable' message to the sender. This behavior was observed in scenarios involving socat UDP4-LISTEN servers and clients sending datagrams concurrently on different CPU threads. The issue was initially detected during Podman container network namespace tests, where UDP functionality was intermittently failing due to this race condition. The problem is rooted in the introduction of secondary hash chains and rehash operations in recent Linux kernel commits aimed at optimizing UDP bind() and connect() operations. However, the rehash on connect() is incomplete, as it does not prevent socket lookup failures during the rehashing process. The vulnerability does not appear to have known exploits in the wild yet, but it can cause intermittent UDP communication failures and ICMP port unreachable errors, which could disrupt applications relying on UDP socket connections, especially those using connect() to set up directed flows. No CVSS score has been assigned to this vulnerability as of the published date.
Potential Impact
For European organizations, the impact of CVE-2024-57974 primarily concerns the reliability and availability of UDP-based network services running on Linux systems. UDP is widely used for various applications including DNS, VoIP, streaming media, gaming, and containerized microservices communication. The race condition causing temporary socket unreachability can lead to intermittent communication failures, degraded service quality, or application errors. In containerized environments, common in European enterprises adopting cloud-native architectures, this vulnerability could cause sporadic network disruptions affecting container networking and orchestration tools like Podman. While the vulnerability does not directly lead to data breaches or privilege escalation, the resulting denial of UDP communication could impact critical infrastructure services, real-time communications, and operational continuity. Organizations relying on UDP for internal or external services may experience increased troubleshooting complexity and potential service-level agreement (SLA) violations. The lack of authentication or user interaction requirements means the issue can occur naturally under normal operational conditions, especially in multi-threaded or multi-CPU environments common in modern servers.
Mitigation Recommendations
To mitigate the effects of CVE-2024-57974, European organizations should: 1) Apply the latest Linux kernel patches that address this race condition as soon as they become available from trusted Linux distributions or upstream sources. 2) Monitor UDP-based services for signs of intermittent connectivity issues or ICMP port unreachable messages, especially in containerized or multi-threaded environments. 3) Where possible, avoid relying on connect() calls on UDP sockets in high-concurrency scenarios until patched, or implement application-level retries and error handling to gracefully recover from transient failures. 4) Consider isolating critical UDP services on dedicated CPU cores or network namespaces to reduce concurrency-induced race conditions. 5) Employ network monitoring tools capable of detecting abnormal ICMP traffic patterns that may indicate this issue. 6) For containerized deployments, ensure container runtimes and networking plugins are updated to versions that include fixes or workarounds for this vulnerability. 7) Engage with Linux vendor support channels to obtain backported patches if using long-term support kernels. These steps go beyond generic advice by focusing on operational practices and environment-specific configurations to reduce the likelihood and impact of the race condition.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.912Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdeb67
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:25:52 AM
Last updated: 8/12/2025, 4:02:51 PM
Views: 16
Related Threats
CVE-2025-9000: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8993: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8992: Cross-Site Request Forgery in mtons mblog
MediumCVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.