CVE-2024-57994: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
AI Analysis
Technical Summary
CVE-2024-57994 is a vulnerability identified in the Linux kernel, specifically within the ptr_ring subsystem, which is used for managing ring buffers in kernel networking components. The issue arises from the function ptr_ring_resize_multiple(), which was found to block hard interrupts (hard IRQs) improperly during its execution. This behavior was detected by syzbot, an automated kernel fuzzer, which triggered a kernel panic (splat) due to hard IRQ blocking in ptr_ring_resize_multiple(). The vulnerability was addressed by modifying the code to block only bottom halves (BH) instead of hard IRQs, as the current users of ptr_ring_resize_multiple() do not require hard IRQ masking. Additionally, the function was renamed to ptr_ring_resize_multiple_bh() to reflect this change. The vulnerability is linked to the __page_pool_put_page() function in net/core/page_pool.c, which was causing the hard IRQ blocking. The kernel warning logs indicate that the issue could lead to kernel crashes during network device operations, such as those involving the tun driver (a virtual network device). The root cause is related to improper interrupt handling during memory page pool operations in the networking stack, which can cause system instability or denial of service (DoS) conditions. No known exploits are currently reported in the wild, and the vulnerability does not have an assigned CVSS score yet. The affected Linux kernel versions include recent development releases around version 6.11.0-rc3, indicating this is a recent discovery in the kernel's networking subsystem.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing advanced networking features such as virtual network interfaces (e.g., tun/tap devices) common in cloud, virtualization, and container environments. The improper blocking of hard interrupts can lead to kernel panics, causing system crashes and denial of service. This can disrupt critical network services, impacting availability and operational continuity. Organizations relying on Linux-based infrastructure for networking, cloud services, or edge computing could experience outages or degraded performance. While there is no indication of direct privilege escalation or data confidentiality breaches, the instability caused by this vulnerability could be exploited in targeted denial-of-service attacks against critical infrastructure. Given the widespread use of Linux in European data centers, telecom networks, and government systems, the impact could be significant if unpatched systems are exposed to crafted workloads or fuzzing attempts. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel networking code suggests that attackers with local access or the ability to send crafted network traffic might trigger system crashes.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-57994. This involves applying the patch that replaces hard IRQ blocking with bottom half blocking in ptr_ring_resize_multiple() and related functions. Systems running development or release candidate kernels around version 6.11.0-rc3 should be upgraded to stable releases containing the fix. Network administrators should audit systems using tun/tap devices or other virtual network interfaces and ensure they are running patched kernels. Additionally, organizations should implement kernel crash monitoring and alerting to detect any unexpected panics related to networking operations. For environments where immediate patching is not feasible, restricting untrusted local user access and limiting exposure of vulnerable network interfaces can reduce exploitation risk. Employing kernel lockdown features and hardened configurations to minimize attack surface is recommended. Finally, maintain vigilance for any emerging exploit reports or updates from Linux kernel security advisories to respond promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-57994: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
AI-Powered Analysis
Technical Analysis
CVE-2024-57994 is a vulnerability identified in the Linux kernel, specifically within the ptr_ring subsystem, which is used for managing ring buffers in kernel networking components. The issue arises from the function ptr_ring_resize_multiple(), which was found to block hard interrupts (hard IRQs) improperly during its execution. This behavior was detected by syzbot, an automated kernel fuzzer, which triggered a kernel panic (splat) due to hard IRQ blocking in ptr_ring_resize_multiple(). The vulnerability was addressed by modifying the code to block only bottom halves (BH) instead of hard IRQs, as the current users of ptr_ring_resize_multiple() do not require hard IRQ masking. Additionally, the function was renamed to ptr_ring_resize_multiple_bh() to reflect this change. The vulnerability is linked to the __page_pool_put_page() function in net/core/page_pool.c, which was causing the hard IRQ blocking. The kernel warning logs indicate that the issue could lead to kernel crashes during network device operations, such as those involving the tun driver (a virtual network device). The root cause is related to improper interrupt handling during memory page pool operations in the networking stack, which can cause system instability or denial of service (DoS) conditions. No known exploits are currently reported in the wild, and the vulnerability does not have an assigned CVSS score yet. The affected Linux kernel versions include recent development releases around version 6.11.0-rc3, indicating this is a recent discovery in the kernel's networking subsystem.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing advanced networking features such as virtual network interfaces (e.g., tun/tap devices) common in cloud, virtualization, and container environments. The improper blocking of hard interrupts can lead to kernel panics, causing system crashes and denial of service. This can disrupt critical network services, impacting availability and operational continuity. Organizations relying on Linux-based infrastructure for networking, cloud services, or edge computing could experience outages or degraded performance. While there is no indication of direct privilege escalation or data confidentiality breaches, the instability caused by this vulnerability could be exploited in targeted denial-of-service attacks against critical infrastructure. Given the widespread use of Linux in European data centers, telecom networks, and government systems, the impact could be significant if unpatched systems are exposed to crafted workloads or fuzzing attempts. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel networking code suggests that attackers with local access or the ability to send crafted network traffic might trigger system crashes.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-57994. This involves applying the patch that replaces hard IRQ blocking with bottom half blocking in ptr_ring_resize_multiple() and related functions. Systems running development or release candidate kernels around version 6.11.0-rc3 should be upgraded to stable releases containing the fix. Network administrators should audit systems using tun/tap devices or other virtual network interfaces and ensure they are running patched kernels. Additionally, organizations should implement kernel crash monitoring and alerting to detect any unexpected panics related to networking operations. For environments where immediate patching is not feasible, restricting untrusted local user access and limiting exposure of vulnerable network interfaces can reduce exploitation risk. Employing kernel lockdown features and hardened configurations to minimize attack surface is recommended. Finally, maintain vigilance for any emerging exploit reports or updates from Linux kernel security advisories to respond promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.914Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdec22
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:41:35 AM
Last updated: 8/1/2025, 1:16:57 AM
Views: 9
Related Threats
CVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumCVE-2025-9096: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.