Login Sign Up

CVE-2024-26588

7.8 HIGH
Denial of Service

📋 TL;DR

A memory access vulnerability in the Linux kernel's BPF JIT compiler for LoongArch architecture allows out-of-bounds memory access when processing large BPF programs. This can lead to kernel crashes or potential privilege escalation. Systems running Linux kernels with LoongArch support and BPF enabled are affected.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Specific versions with LoongArch BPF JIT support before fixes (exact range depends on distribution backports)
Operating Systems: Linux distributions with LoongArch support
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with CONFIG_BPF_JIT=y and LoongArch architecture. CONFIG_PAGE_SIZE_16KB configuration specifically mentioned in report.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to denial of service, or potential privilege escalation to kernel mode if combined with other vulnerabilities.

🟠

Likely Case

Kernel crash/panic when loading specific BPF programs, causing system instability or denial of service.

🟢

If Mitigated

No impact if BPF is disabled or systems aren't using LoongArch architecture.

🌐 Internet-Facing: LOW - Requires local access to trigger via BPF program loading.
🏢 Internal Only: MEDIUM - Local users or processes with CAP_BPF capability could trigger crashes affecting system stability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Test case (test_tag) demonstrates crash. Exploitation requires CAP_BPF capability or root access to load BPF programs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 36a87385e31c9343af9a4756598e704741250a67 and related fixes

Vendor Advisory: https://git.kernel.org/stable/c/36a87385e31c9343af9a4756598e704741250a67

Restart Required: Yes

Instructions:

1. Update kernel to patched version from your distribution. 2. For custom kernels, apply commits 36a87385e31c9343af9a4756598e704741250a67 and related fixes. 3. Reboot system.

🔧 Temporary Workarounds

Disable BPF JIT compilation

linux

Prevents JIT compilation of BPF programs, mitigating the vulnerability

echo 0 > /proc/sys/net/core/bpf_jit_enable

Restrict BPF program loading

linux

Limit BPF program loading capabilities using Linux capabilities

setcap -r /path/to/binary cap_bpf
cap_sys_admin

🧯 If You Can't Patch

  • Disable BPF JIT via sysctl: net.core.bpf_jit_enable=0
  • Implement strict capability controls to prevent unauthorized BPF program loading

🔍 How to Verify

Check if Vulnerable:

Check if system uses LoongArch architecture and has BPF enabled: 'uname -m' should show loongarch64 and 'cat /proc/sys/net/core/bpf_jit_enable' should show 1

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits: 'uname -r' and verify with distribution patch notes

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages mentioning 'Unable to handle kernel paging request' with BPF/JIT context
  • System crashes when loading BPF programs

Network Indicators:

  • None - local vulnerability

SIEM Query:

kernel: "Unable to handle kernel paging request" AND ("BPF" OR "JIT" OR "test_tag")

📊 Metadata

CVE ID: CVE-2024-26588
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: February 22, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26588, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)