CVE-2024-57982: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.
AI Analysis
Technical Summary
CVE-2024-57982 is a vulnerability identified in the Linux kernel's xfrm (IPsec) subsystem, specifically related to the state lookup mechanism. The issue arises due to a race condition between concurrent lookup and resize operations on the xfrm state hash table. The vulnerability is caused by the hash functions potentially observing an inconsistent or out-of-bounds hmask value when accessing the hash list array during state lookups. This happens because the update to the state_bydst pointer and the state_hmask value are not properly synchronized, allowing the lookup function to read a hash mask that is too large for the current hash list array. The root cause is that the existing synchronization mechanism, the xfrm_state_hash_generation seqlock, ensures retries but does not prevent the hash functions from temporarily accessing invalid memory regions. The fix involves prefetching the state_hmask and associated pointers to ensure consistency, and adding lockdep assertions to clarify that certain helper functions are unsafe for Read-Copy-Update (RCU) side operations. Additionally, the xfrm_state_lookup_byaddr() function currently uses a spinlock instead of RCU, which is considered an oversight and is planned to be corrected in future patches. This vulnerability could lead to out-of-bounds memory reads during state lookups, potentially causing kernel crashes or information disclosure. However, no known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels that include the vulnerable xfrm IPsec implementation. Since IPsec is widely used for secure communications, including VPNs and encrypted tunnels, exploitation could disrupt secure network communications or lead to kernel crashes, resulting in denial of service. In environments where sensitive data is transmitted over IPsec tunnels, an out-of-bounds read could potentially be leveraged for information disclosure, although exploitation complexity is moderate due to the need for concurrent operations and kernel-level access. Critical infrastructure, financial institutions, and enterprises relying on Linux-based VPN gateways or routers could experience service interruptions or data exposure. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future attacks, especially given the strategic importance of secure communications in European digital infrastructure.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched version that addresses CVE-2024-57982. Specifically, kernel maintainers have implemented prefetching of state_hmask and associated pointers to ensure consistency during concurrent lookups and resizes. Organizations should audit their use of IPsec and xfrm subsystems to identify affected systems, particularly VPN gateways, routers, and firewalls running Linux. Where immediate patching is not feasible, applying kernel-level mitigations such as disabling or limiting concurrent state resize operations or restricting access to IPsec configuration interfaces can reduce exposure. Additionally, monitoring kernel logs for unusual crashes or memory access errors related to xfrm state lookups can help detect exploitation attempts. Network segmentation and strict access controls to Linux systems handling IPsec traffic further reduce risk. Finally, organizations should track Linux kernel updates and security advisories to apply future fixes, including the planned replacement of spinlocks with RCU in xfrm_state_lookup_byaddr().
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-57982: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.
AI-Powered Analysis
Technical Analysis
CVE-2024-57982 is a vulnerability identified in the Linux kernel's xfrm (IPsec) subsystem, specifically related to the state lookup mechanism. The issue arises due to a race condition between concurrent lookup and resize operations on the xfrm state hash table. The vulnerability is caused by the hash functions potentially observing an inconsistent or out-of-bounds hmask value when accessing the hash list array during state lookups. This happens because the update to the state_bydst pointer and the state_hmask value are not properly synchronized, allowing the lookup function to read a hash mask that is too large for the current hash list array. The root cause is that the existing synchronization mechanism, the xfrm_state_hash_generation seqlock, ensures retries but does not prevent the hash functions from temporarily accessing invalid memory regions. The fix involves prefetching the state_hmask and associated pointers to ensure consistency, and adding lockdep assertions to clarify that certain helper functions are unsafe for Read-Copy-Update (RCU) side operations. Additionally, the xfrm_state_lookup_byaddr() function currently uses a spinlock instead of RCU, which is considered an oversight and is planned to be corrected in future patches. This vulnerability could lead to out-of-bounds memory reads during state lookups, potentially causing kernel crashes or information disclosure. However, no known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels that include the vulnerable xfrm IPsec implementation. Since IPsec is widely used for secure communications, including VPNs and encrypted tunnels, exploitation could disrupt secure network communications or lead to kernel crashes, resulting in denial of service. In environments where sensitive data is transmitted over IPsec tunnels, an out-of-bounds read could potentially be leveraged for information disclosure, although exploitation complexity is moderate due to the need for concurrent operations and kernel-level access. Critical infrastructure, financial institutions, and enterprises relying on Linux-based VPN gateways or routers could experience service interruptions or data exposure. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future attacks, especially given the strategic importance of secure communications in European digital infrastructure.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched version that addresses CVE-2024-57982. Specifically, kernel maintainers have implemented prefetching of state_hmask and associated pointers to ensure consistency during concurrent lookups and resizes. Organizations should audit their use of IPsec and xfrm subsystems to identify affected systems, particularly VPN gateways, routers, and firewalls running Linux. Where immediate patching is not feasible, applying kernel-level mitigations such as disabling or limiting concurrent state resize operations or restricting access to IPsec configuration interfaces can reduce exposure. Additionally, monitoring kernel logs for unusual crashes or memory access errors related to xfrm state lookups can help detect exploitation attempts. Network segmentation and strict access controls to Linux systems handling IPsec traffic further reduce risk. Finally, organizations should track Linux kernel updates and security advisories to apply future fixes, including the planned replacement of spinlocks with RCU in xfrm_state_lookup_byaddr().
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.913Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdebb2
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:39:42 AM
Last updated: 8/20/2025, 3:30:06 AM
Views: 23
Related Threats
CVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-52451: CWE-20 Improper Input Validation in Salesforce Tableau Server
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.