CVE-2024-58088: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock when freeing cgroup storage The following commit bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]") first introduced deadlock prevention for fentry/fexit programs attaching on bpf_task_storage helpers. That commit also employed the logic in map free path in its v6 version. Later bpf_cgrp_storage was first introduced in c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs") which faces the same issue as bpf_task_storage, instead of its busy counter, NULL was passed to bpf_local_storage_map_free() which opened a window to cause deadlock: <TASK> (acquiring local_storage->lock) _raw_spin_lock_irqsave+0x3d/0x50 bpf_local_storage_update+0xd1/0x460 bpf_cgrp_storage_get+0x109/0x130 bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 ? __bpf_prog_enter_recur+0x16/0x80 bpf_trampoline_6442485186+0x43/0xa4 cgroup_storage_ptr+0x9/0x20 (holding local_storage->lock) bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 bpf_selem_unlink_storage+0x6f/0x110 bpf_local_storage_map_free+0xa2/0x110 bpf_map_free_deferred+0x5b/0x90 process_one_work+0x17c/0x390 worker_thread+0x251/0x360 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Progs: - A: SEC("fentry/cgroup_storage_ptr") - cgid (BPF_MAP_TYPE_HASH) Record the id of the cgroup the current task belonging to in this hash map, using the address of the cgroup as the map key. - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE) If current task is a kworker, lookup the above hash map using function parameter @owner as the key to get its corresponding cgroup id which is then used to get a trusted pointer to the cgroup through bpf_cgroup_from_id(). This trusted pointer can then be passed to bpf_cgrp_storage_get() to finally trigger the deadlock issue. - B: SEC("tp_btf/sys_enter") - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE) The only purpose of this prog is to fill Prog A's hash map by calling bpf_cgrp_storage_get() for as many userspace tasks as possible. Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; } Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.
AI Analysis
Technical Summary
CVE-2024-58088 is a vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving cgroup storage management. The issue arises from a deadlock condition when freeing cgroup storage in BPF programs. Initially, a commit introduced deadlock prevention for task storage helpers in BPF programs attaching to function entry/exit points (fentry/fexit). However, when cgroup storage (bpf_cgrp_storage) was introduced later, it reused similar logic but incorrectly passed a NULL busy counter to the free procedure instead of a valid counter. This omission created a window where a deadlock could occur during concurrent operations involving local storage locking and freeing of cgroup storage. The deadlock manifests when a BPF program (Prog A) that attaches to cgroup storage pointers attempts to access or update storage while another BPF program (Prog B) repeatedly creates and destroys cgroup storage entries in a tight loop. The deadlock is triggered because the freeing procedure does not properly increment the busy counter before acquiring locks, causing recursive locking attempts and system stalls. The vulnerability affects Linux kernel versions containing the specific commit introducing bpf_cgrp_storage (commit c4bcfb38a95e). The fix involves passing the busy counter correctly to the free procedure, allowing proper lock management and preventing deadlocks. This vulnerability is significant because BPF is widely used for performance monitoring, security enforcement, and networking in Linux environments, and cgroup storage is a mechanism to associate data with control groups for resource management and isolation. Exploiting this deadlock could lead to kernel hangs or denial of service conditions, impacting system availability. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with BPF cgroup storage enabled and in use. Many enterprises, cloud providers, and service operators in Europe rely heavily on Linux for servers, container orchestration (e.g., Kubernetes), and network functions where BPF programs are common. A deadlock in the kernel can cause system hangs or crashes, leading to denial of service (DoS) conditions. This can disrupt critical services, including web hosting, cloud infrastructure, telecommunications, and industrial control systems. The impact is particularly relevant for organizations using advanced BPF-based monitoring, security, or networking tools that utilize cgroup storage. While the vulnerability does not appear to allow privilege escalation or data leakage directly, the availability impact can be severe in high-availability environments. Additionally, the complexity of the exploit scenario (requiring specific BPF programs running in a loop) may limit widespread exploitation but does not eliminate risk in targeted attacks or misconfigurations. Systems running containerized workloads or multi-tenant environments are at higher risk due to frequent use of cgroups and BPF for resource and security management.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-58088. Since the vulnerability stems from a specific commit, applying the latest stable kernel releases or vendor-provided patches that address this issue is critical. Organizations using custom or long-term support kernels should monitor vendor advisories and backport patches as needed. Additionally, administrators should audit BPF programs deployed in their environments, especially those using cgroup storage helpers, to understand if they could trigger the deadlock scenario. Limiting or controlling the deployment of BPF programs that aggressively create and destroy cgroup storage entries can reduce risk. Implementing runtime monitoring for kernel hangs or unusual BPF activity may help detect attempts to exploit this vulnerability. For container orchestration platforms, ensure that node kernels are patched and that BPF programs deployed by monitoring or security tools are updated accordingly. Finally, consider isolating critical workloads on patched systems and avoid running untrusted BPF programs that could trigger the deadlock.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2024-58088: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock when freeing cgroup storage The following commit bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]") first introduced deadlock prevention for fentry/fexit programs attaching on bpf_task_storage helpers. That commit also employed the logic in map free path in its v6 version. Later bpf_cgrp_storage was first introduced in c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs") which faces the same issue as bpf_task_storage, instead of its busy counter, NULL was passed to bpf_local_storage_map_free() which opened a window to cause deadlock: <TASK> (acquiring local_storage->lock) _raw_spin_lock_irqsave+0x3d/0x50 bpf_local_storage_update+0xd1/0x460 bpf_cgrp_storage_get+0x109/0x130 bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 ? __bpf_prog_enter_recur+0x16/0x80 bpf_trampoline_6442485186+0x43/0xa4 cgroup_storage_ptr+0x9/0x20 (holding local_storage->lock) bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 bpf_selem_unlink_storage+0x6f/0x110 bpf_local_storage_map_free+0xa2/0x110 bpf_map_free_deferred+0x5b/0x90 process_one_work+0x17c/0x390 worker_thread+0x251/0x360 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Progs: - A: SEC("fentry/cgroup_storage_ptr") - cgid (BPF_MAP_TYPE_HASH) Record the id of the cgroup the current task belonging to in this hash map, using the address of the cgroup as the map key. - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE) If current task is a kworker, lookup the above hash map using function parameter @owner as the key to get its corresponding cgroup id which is then used to get a trusted pointer to the cgroup through bpf_cgroup_from_id(). This trusted pointer can then be passed to bpf_cgrp_storage_get() to finally trigger the deadlock issue. - B: SEC("tp_btf/sys_enter") - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE) The only purpose of this prog is to fill Prog A's hash map by calling bpf_cgrp_storage_get() for as many userspace tasks as possible. Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; } Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.
AI-Powered Analysis
Technical Analysis
CVE-2024-58088 is a vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving cgroup storage management. The issue arises from a deadlock condition when freeing cgroup storage in BPF programs. Initially, a commit introduced deadlock prevention for task storage helpers in BPF programs attaching to function entry/exit points (fentry/fexit). However, when cgroup storage (bpf_cgrp_storage) was introduced later, it reused similar logic but incorrectly passed a NULL busy counter to the free procedure instead of a valid counter. This omission created a window where a deadlock could occur during concurrent operations involving local storage locking and freeing of cgroup storage. The deadlock manifests when a BPF program (Prog A) that attaches to cgroup storage pointers attempts to access or update storage while another BPF program (Prog B) repeatedly creates and destroys cgroup storage entries in a tight loop. The deadlock is triggered because the freeing procedure does not properly increment the busy counter before acquiring locks, causing recursive locking attempts and system stalls. The vulnerability affects Linux kernel versions containing the specific commit introducing bpf_cgrp_storage (commit c4bcfb38a95e). The fix involves passing the busy counter correctly to the free procedure, allowing proper lock management and preventing deadlocks. This vulnerability is significant because BPF is widely used for performance monitoring, security enforcement, and networking in Linux environments, and cgroup storage is a mechanism to associate data with control groups for resource management and isolation. Exploiting this deadlock could lead to kernel hangs or denial of service conditions, impacting system availability. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with BPF cgroup storage enabled and in use. Many enterprises, cloud providers, and service operators in Europe rely heavily on Linux for servers, container orchestration (e.g., Kubernetes), and network functions where BPF programs are common. A deadlock in the kernel can cause system hangs or crashes, leading to denial of service (DoS) conditions. This can disrupt critical services, including web hosting, cloud infrastructure, telecommunications, and industrial control systems. The impact is particularly relevant for organizations using advanced BPF-based monitoring, security, or networking tools that utilize cgroup storage. While the vulnerability does not appear to allow privilege escalation or data leakage directly, the availability impact can be severe in high-availability environments. Additionally, the complexity of the exploit scenario (requiring specific BPF programs running in a loop) may limit widespread exploitation but does not eliminate risk in targeted attacks or misconfigurations. Systems running containerized workloads or multi-tenant environments are at higher risk due to frequent use of cgroups and BPF for resource and security management.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-58088. Since the vulnerability stems from a specific commit, applying the latest stable kernel releases or vendor-provided patches that address this issue is critical. Organizations using custom or long-term support kernels should monitor vendor advisories and backport patches as needed. Additionally, administrators should audit BPF programs deployed in their environments, especially those using cgroup storage helpers, to understand if they could trigger the deadlock scenario. Limiting or controlling the deployment of BPF programs that aggressively create and destroy cgroup storage entries can reduce risk. Implementing runtime monitoring for kernel hangs or unusual BPF activity may help detect attempts to exploit this vulnerability. For container orchestration platforms, ensure that node kernels are patched and that BPF programs deployed by monitoring or security tools are updated accordingly. Finally, consider isolating critical workloads on patched systems and avoid running untrusted BPF programs that could trigger the deadlock.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-06T15:52:09.187Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde355
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:10:17 AM
Last updated: 8/14/2025, 8:18:41 AM
Views: 17
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.