CVE-2024-58100: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: check changes_pkt_data property for extension programs When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changes_pkt_data property of the global sub-program. Because of this, an extension program replacing a global sub-program must be compatible with changes_pkt_data property of the sub-program being replaced. This commit: - adds changes_pkt_data flag to struct bpf_prog_aux: - this flag is set in check_cfg() for main sub-program; - in jit_subprogs() for other sub-programs; - modifies bpf_check_attach_btf_id() to check changes_pkt_data flag; - moves call to check_attach_btf_id() after the call to check_cfg(), because it needs changes_pkt_data flag to be set: bpf_check: ... ... - check_attach_btf_id resolve_pseudo_ldimm64 resolve_pseudo_ldimm64 --> bpf_prog_is_offloaded bpf_prog_is_offloaded check_cfg check_cfg + check_attach_btf_id ... ... The following fields are set by check_attach_btf_id(): - env->ops - prog->aux->attach_btf_trace - prog->aux->attach_func_name - prog->aux->attach_func_proto - prog->aux->dst_trampoline - prog->aux->mod - prog->aux->saved_dst_attach_type - prog->aux->saved_dst_prog_type - prog->expected_attach_type Neither of these fields are used by resolve_pseudo_ldimm64() or bpf_prog_offload_verifier_prep() (for netronome and netdevsim drivers), so the reordering is safe.
AI Analysis
Technical Summary
CVE-2024-58100 is a vulnerability identified in the Linux kernel's Berkeley Packet Filter (BPF) subsystem, specifically related to the handling of extension programs that replace global sub-programs. The BPF verifier is responsible for validating BPF programs before they are executed in kernel space to ensure safety and correctness. This vulnerability arises from the verifier's handling of the 'changes_pkt_data' property, which indicates whether a BPF program modifies packet data. When processing calls to global sub-programs, the verifier decides whether to invalidate all packet pointers in the current state based on this property. However, if an extension program replaces a global sub-program, it must be compatible with the 'changes_pkt_data' property of the sub-program it replaces. The vulnerability stems from insufficient checks or improper ordering in the verification process, potentially allowing an extension program to bypass certain safety validations if it does not correctly match the 'changes_pkt_data' property. The patch introduces a 'changes_pkt_data' flag within the 'bpf_prog_aux' structure, ensuring that this property is set and checked consistently during verification. It also reorders calls within the verifier to guarantee that the 'changes_pkt_data' flag is established before attachment checks are performed. This fix prevents incompatible extension programs from being accepted, thereby maintaining kernel stability and security. Although no known exploits are reported in the wild, the vulnerability could theoretically allow malicious BPF programs to manipulate packet data in unintended ways, potentially leading to kernel memory corruption or privilege escalation.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with BPF support, which is common in servers, network appliances, and cloud infrastructure. Exploitation could allow attackers to execute malicious BPF programs that manipulate network packet data, potentially leading to kernel memory corruption or privilege escalation. This could compromise the confidentiality, integrity, and availability of critical systems, especially those handling sensitive data or providing network services. Organizations relying on Linux-based network monitoring, firewalls, or container orchestration platforms that leverage BPF could see increased risk. The impact is heightened in environments where untrusted users or applications can load BPF programs, such as multi-tenant cloud platforms or shared hosting environments. While no active exploits are known, the complexity and privileged nature of BPF mean that successful exploitation could facilitate stealthy attacks, persistent backdoors, or disruption of network traffic inspection and filtering mechanisms.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-58100 as soon as they become available. In the interim, administrators should audit and restrict BPF program loading capabilities to trusted users only, using Linux capabilities and seccomp filters to limit exposure. Employ kernel lockdown features where possible to prevent unauthorized kernel modifications. Network and system monitoring should be enhanced to detect anomalous BPF program loading or unusual network packet manipulation patterns. Organizations using container platforms should ensure that container runtimes and orchestration tools enforce strict policies on BPF program usage. Additionally, applying kernel hardening patches and leveraging security modules like SELinux or AppArmor can provide layered defense. Regularly reviewing and updating security policies around kernel module and BPF program loading will reduce the attack surface. Finally, maintaining an inventory of Linux kernel versions in use across infrastructure will help prioritize patch deployment effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-58100: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: check changes_pkt_data property for extension programs When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changes_pkt_data property of the global sub-program. Because of this, an extension program replacing a global sub-program must be compatible with changes_pkt_data property of the sub-program being replaced. This commit: - adds changes_pkt_data flag to struct bpf_prog_aux: - this flag is set in check_cfg() for main sub-program; - in jit_subprogs() for other sub-programs; - modifies bpf_check_attach_btf_id() to check changes_pkt_data flag; - moves call to check_attach_btf_id() after the call to check_cfg(), because it needs changes_pkt_data flag to be set: bpf_check: ... ... - check_attach_btf_id resolve_pseudo_ldimm64 resolve_pseudo_ldimm64 --> bpf_prog_is_offloaded bpf_prog_is_offloaded check_cfg check_cfg + check_attach_btf_id ... ... The following fields are set by check_attach_btf_id(): - env->ops - prog->aux->attach_btf_trace - prog->aux->attach_func_name - prog->aux->attach_func_proto - prog->aux->dst_trampoline - prog->aux->mod - prog->aux->saved_dst_attach_type - prog->aux->saved_dst_prog_type - prog->expected_attach_type Neither of these fields are used by resolve_pseudo_ldimm64() or bpf_prog_offload_verifier_prep() (for netronome and netdevsim drivers), so the reordering is safe.
AI-Powered Analysis
Technical Analysis
CVE-2024-58100 is a vulnerability identified in the Linux kernel's Berkeley Packet Filter (BPF) subsystem, specifically related to the handling of extension programs that replace global sub-programs. The BPF verifier is responsible for validating BPF programs before they are executed in kernel space to ensure safety and correctness. This vulnerability arises from the verifier's handling of the 'changes_pkt_data' property, which indicates whether a BPF program modifies packet data. When processing calls to global sub-programs, the verifier decides whether to invalidate all packet pointers in the current state based on this property. However, if an extension program replaces a global sub-program, it must be compatible with the 'changes_pkt_data' property of the sub-program it replaces. The vulnerability stems from insufficient checks or improper ordering in the verification process, potentially allowing an extension program to bypass certain safety validations if it does not correctly match the 'changes_pkt_data' property. The patch introduces a 'changes_pkt_data' flag within the 'bpf_prog_aux' structure, ensuring that this property is set and checked consistently during verification. It also reorders calls within the verifier to guarantee that the 'changes_pkt_data' flag is established before attachment checks are performed. This fix prevents incompatible extension programs from being accepted, thereby maintaining kernel stability and security. Although no known exploits are reported in the wild, the vulnerability could theoretically allow malicious BPF programs to manipulate packet data in unintended ways, potentially leading to kernel memory corruption or privilege escalation.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with BPF support, which is common in servers, network appliances, and cloud infrastructure. Exploitation could allow attackers to execute malicious BPF programs that manipulate network packet data, potentially leading to kernel memory corruption or privilege escalation. This could compromise the confidentiality, integrity, and availability of critical systems, especially those handling sensitive data or providing network services. Organizations relying on Linux-based network monitoring, firewalls, or container orchestration platforms that leverage BPF could see increased risk. The impact is heightened in environments where untrusted users or applications can load BPF programs, such as multi-tenant cloud platforms or shared hosting environments. While no active exploits are known, the complexity and privileged nature of BPF mean that successful exploitation could facilitate stealthy attacks, persistent backdoors, or disruption of network traffic inspection and filtering mechanisms.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-58100 as soon as they become available. In the interim, administrators should audit and restrict BPF program loading capabilities to trusted users only, using Linux capabilities and seccomp filters to limit exposure. Employ kernel lockdown features where possible to prevent unauthorized kernel modifications. Network and system monitoring should be enhanced to detect anomalous BPF program loading or unusual network packet manipulation patterns. Organizations using container platforms should ensure that container runtimes and orchestration tools enforce strict policies on BPF program usage. Additionally, applying kernel hardening patches and leveraging security modules like SELinux or AppArmor can provide layered defense. Regularly reviewing and updating security policies around kernel module and BPF program loading will reduce the attack surface. Finally, maintaining an inventory of Linux kernel versions in use across infrastructure will help prioritize patch deployment effectively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-06T15:52:09.189Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9818c4522896dcbd7b8c
Added to database: 5/21/2025, 9:08:40 AM
Last enriched: 7/5/2025, 3:10:54 AM
Last updated: 7/26/2025, 10:08:39 AM
Views: 12
Related Threats
CVE-2025-7679: CWE-306 Missing Authentication for Critical Function in ABB Aspect
HighCVE-2025-7677: CWE-306 Missing Authentication for Critical Function in ABB Aspect
MediumCVE-2025-53191: CWE-306 Missing Authentication for Critical Function in ABB Aspect
HighCVE-2025-53190: CWE-286 in ABB Aspect
HighCVE-2025-53189: CWE-639 Authorization Bypass Through User-Controlled Key in ABB Aspect
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.