CVE-2024-58060: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on tcp_congestion_ops that has a "struct module *owner" member. For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing: WARN: resolve_btfids: unresolved symbol module Thus, the bpf_try_module_get() cannot do the correct refcounting. Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops. This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test. This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.
AI Analysis
Technical Summary
CVE-2024-58060 is a high-severity vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving the registration of bpf_struct_ops when kernel modules are disabled (CONFIG_MODULES=n). The vulnerability arises from a use-after-free (UAF) condition in the bpf_struct_ops implementation. The issue centers on the handling of the "struct module *owner" member within struct_ops such as tcp_congestion_ops. Normally, when kernel modules are enabled, bpf_try_module_get() manages reference counting on the module owner pointer to prevent premature freeing. However, when CONFIG_MODULES is disabled, the BPF Type Format (BTF) ID for "struct module" is missing, causing the bpf_try_module_get() function to fail in correctly performing reference counting. This leads to unresolved symbol warnings and ultimately a use-after-free scenario. The vulnerability has existed since the inception of bpf_struct_ops but is mitigated by a patch that disables bpf_struct_ops registration if the struct_ops contains a "struct module *" member and the corresponding BTF ID is missing. This patch prevents the unsafe registration path that leads to the UAF. The vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant primarily in configurations where kernel modules are disabled, which is uncommon. The CVSS 3.1 score is 7.8 (high), reflecting the local attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. This vulnerability is categorized under CWE-416 (Use After Free).
Potential Impact
For European organizations, the impact of CVE-2024-58060 depends largely on their Linux deployment configurations. Systems running Linux kernels with CONFIG_MODULES disabled are vulnerable to a use-after-free condition that can be exploited by local attackers with limited privileges to escalate privileges or cause denial of service. Although the attack vector is local, the high impact on confidentiality, integrity, and availability means that successful exploitation could lead to full system compromise, data leakage, or disruption of critical services. This is particularly concerning for organizations operating critical infrastructure, telecommunications, or cloud services that rely on hardened Linux environments with modules disabled for security or compliance reasons. The vulnerability could also affect embedded Linux devices or specialized appliances common in industrial control systems or network equipment used in Europe. Since the vulnerability affects the BPF subsystem, which is widely used for networking and tracing, exploitation could undermine network security monitoring or traffic control mechanisms. However, the rarity of the CONFIG_MODULES=n configuration in typical enterprise Linux distributions somewhat limits the exposure. Nonetheless, organizations with custom or minimal Linux builds should assess their risk carefully.
Mitigation Recommendations
European organizations should first identify Linux systems running kernels with CONFIG_MODULES disabled, as these are the primary vulnerable targets. They should apply the latest Linux kernel patches that include the fix disabling unsafe bpf_struct_ops registration in these configurations. If patching is not immediately feasible, organizations should consider enabling kernel modules (CONFIG_MODULES=y) if operationally acceptable, as this mitigates the vulnerability by restoring proper module reference counting. Additionally, restricting local user access and enforcing strict privilege separation can reduce the risk of exploitation. Monitoring kernel logs for WARN messages related to unresolved BTF symbols may help detect attempts to trigger the vulnerability. For embedded or specialized devices, vendors should be engaged to provide updated firmware or kernel versions. Network segmentation and limiting access to critical Linux hosts can further reduce attack surface. Finally, organizations should maintain robust incident detection capabilities to identify potential exploitation attempts early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-58060: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on tcp_congestion_ops that has a "struct module *owner" member. For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing: WARN: resolve_btfids: unresolved symbol module Thus, the bpf_try_module_get() cannot do the correct refcounting. Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops. This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test. This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.
AI-Powered Analysis
Technical Analysis
CVE-2024-58060 is a high-severity vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving the registration of bpf_struct_ops when kernel modules are disabled (CONFIG_MODULES=n). The vulnerability arises from a use-after-free (UAF) condition in the bpf_struct_ops implementation. The issue centers on the handling of the "struct module *owner" member within struct_ops such as tcp_congestion_ops. Normally, when kernel modules are enabled, bpf_try_module_get() manages reference counting on the module owner pointer to prevent premature freeing. However, when CONFIG_MODULES is disabled, the BPF Type Format (BTF) ID for "struct module" is missing, causing the bpf_try_module_get() function to fail in correctly performing reference counting. This leads to unresolved symbol warnings and ultimately a use-after-free scenario. The vulnerability has existed since the inception of bpf_struct_ops but is mitigated by a patch that disables bpf_struct_ops registration if the struct_ops contains a "struct module *" member and the corresponding BTF ID is missing. This patch prevents the unsafe registration path that leads to the UAF. The vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant primarily in configurations where kernel modules are disabled, which is uncommon. The CVSS 3.1 score is 7.8 (high), reflecting the local attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. This vulnerability is categorized under CWE-416 (Use After Free).
Potential Impact
For European organizations, the impact of CVE-2024-58060 depends largely on their Linux deployment configurations. Systems running Linux kernels with CONFIG_MODULES disabled are vulnerable to a use-after-free condition that can be exploited by local attackers with limited privileges to escalate privileges or cause denial of service. Although the attack vector is local, the high impact on confidentiality, integrity, and availability means that successful exploitation could lead to full system compromise, data leakage, or disruption of critical services. This is particularly concerning for organizations operating critical infrastructure, telecommunications, or cloud services that rely on hardened Linux environments with modules disabled for security or compliance reasons. The vulnerability could also affect embedded Linux devices or specialized appliances common in industrial control systems or network equipment used in Europe. Since the vulnerability affects the BPF subsystem, which is widely used for networking and tracing, exploitation could undermine network security monitoring or traffic control mechanisms. However, the rarity of the CONFIG_MODULES=n configuration in typical enterprise Linux distributions somewhat limits the exposure. Nonetheless, organizations with custom or minimal Linux builds should assess their risk carefully.
Mitigation Recommendations
European organizations should first identify Linux systems running kernels with CONFIG_MODULES disabled, as these are the primary vulnerable targets. They should apply the latest Linux kernel patches that include the fix disabling unsafe bpf_struct_ops registration in these configurations. If patching is not immediately feasible, organizations should consider enabling kernel modules (CONFIG_MODULES=y) if operationally acceptable, as this mitigates the vulnerability by restoring proper module reference counting. Additionally, restricting local user access and enforcing strict privilege separation can reduce the risk of exploitation. Monitoring kernel logs for WARN messages related to unresolved BTF symbols may help detect attempts to trigger the vulnerability. For embedded or specialized devices, vendors should be engaged to provide updated firmware or kernel versions. Network segmentation and limiting access to critical Linux hosts can further reduce attack surface. Finally, organizations should maintain robust incident detection capabilities to identify potential exploitation attempts early.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-06T15:52:09.179Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde25d
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 9:57:29 PM
Last updated: 7/31/2025, 8:18:49 AM
Views: 15
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.