CVE-2024-26865 – This is a use-after-free vulnerability in the L... (How to Fix)

Q: What is the severity of CVE-2024-26865?

CVE-2024-26865 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in the Linux kernel's RDS-TCP implementation that allows local attackers to cause memory corruption, potentially leading to denial of service or privilege escalation. It affects systems running vulnerable Linux kernel versions with RDS-TCP enabled. The vulnerability occurs when network namespaces are dismantled while request socket timers are still active.

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's RDS-TCP implementation that allows local attackers to cause memory corruption, potentially leading to denial of service or privilege escalation. It affects systems running vulnerable Linux kernel versions with RDS-TCP enabled. The vulnerability occurs when network namespaces are dismantled while request socket timers are still active.

💻 Affected Systems

Products:

Linux Kernel

Versions: Specific affected versions not explicitly stated in CVE description, but references indicate stable kernel patches from 1e9fd5cf8d7f to f901ee07853c

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires RDS-TCP module to be loaded and used. Not all Linux distributions enable RDS-TCP by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic, system crash, or potential privilege escalation leading to full system compromise.

🟠

Likely Case

System instability, kernel crashes, or denial of service affecting network connectivity.

🟢

If Mitigated

Minimal impact if RDS-TCP is disabled or systems are properly patched.

🌐 Internet-Facing: LOW - Requires local access to exploit.

🏢 Internal Only: MEDIUM - Local attackers on multi-user systems or containers could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and specific conditions with network namespace operations. The syzkaller fuzzer found the issue but no public exploit is mentioned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 1e9fd5cf8d7f, 2a750d6a5b36, 9905a157048f, 9ceac040506a, or f901ee07853c

Vendor Advisory: https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable RDS-TCP module

linux

Prevent loading of the vulnerable RDS-TCP kernel module

echo 'install rds_tcp /bin/false' >> /etc/modprobe.d/disable-rds-tcp.conf
rmmod rds_tcp 2>/dev/null || true

Blacklist RDS-TCP module

linux

Blacklist the module to prevent automatic loading

echo 'blacklist rds_tcp' >> /etc/modprobe.d/blacklist-rds-tcp.conf

🧯 If You Can't Patch

Restrict local user access to prevent exploitation by untrusted users
Monitor system logs for kernel panic or crash events related to RDS-TCP

🔍 How to Verify

Check if Vulnerable:

Check if RDS-TCP module is loaded: lsmod | grep rds_tcp. If loaded and kernel version is unpatched, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version matches patched version from vendor and verify RDS-TCP module is either not loaded or system is patched.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
KASAN use-after-free reports in dmesg
Ref tracker warnings related to net namespace

Network Indicators:

Unexpected RDS-TCP connection failures
Network namespace creation/destruction anomalies

SIEM Query:

source="kernel" AND ("KASAN: slab-use-after-free" OR "ref_tracker: net notrefcnt" OR "inet_csk_reqsk_queue_drop")

📊 Metadata

CVE ID: CVE-2024-26865

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 17, 2024

Last Updated: January 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26865, you might also want to check these: