CVE-2024-35917 – This CVE describes a NULL pointer dereference v... (How to Fix)

Q: What is the severity of CVE-2024-35917?

CVE-2024-35917 has a CVSS score of 5.5 (MEDIUM). This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's BPF subsystem on s390x architecture. It allows local attackers to cause a kernel crash (denial of service) by triggering specific BPF operations. Systems running affected Linux kernel versions on IBM s390/s390x architecture are vulnerable.

📋 TL;DR

This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's BPF subsystem on s390x architecture. It allows local attackers to cause a kernel crash (denial of service) by triggering specific BPF operations. Systems running affected Linux kernel versions on IBM s390/s390x architecture are vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE description; check kernel commit history for exact ranges

Operating Systems: Linux distributions running on IBM s390/s390x architecture

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with BPF enabled (default on most distributions) and running on s390/s390x architecture. x86_64, ARM, and other architectures are not affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel panic/crash, causing system-wide denial of service and potential data corruption.

🟠

Likely Case

Local denial of service through kernel crash when specific BPF operations are executed by an authenticated user.

🟢

If Mitigated

Minimal impact with proper access controls preventing unauthorized users from executing BPF operations.

🌐 Internet-Facing: LOW - Requires local access to trigger the vulnerability.

🏢 Internal Only: MEDIUM - Local users or processes could crash the kernel, affecting system availability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to execute BPF operations. The vulnerability was discovered through kernel testing rather than real-world exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 7ded842b356d151ece8ac4985940438e6d3998bb and c3062bdb859b6e2567e7f5c8cde20c0250bb130f

Vendor Advisory: https://git.kernel.org/stable/c/7ded842b356d151ece8ac4985940438e6d3998bb

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. For custom kernels, apply commits 7ded842b356d151ece8ac4985940438e6d3998bb and c3062bdb859b6e2567e7f5c8cde20c0250bb130f. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable BPF subsystem

linux

Disable BPF functionality to prevent exploitation (may break applications relying on BPF)

echo 0 > /proc/sys/net/core/bpf_jit_enable
Add kernel boot parameter 'bpf_jit_enable=0' to GRUB configuration

Restrict BPF operations

linux

Use Linux capabilities or SELinux/AppArmor to restrict which users can execute BPF operations

setcap cap_bpf-ep /path/to/application (remove BPF capability)
Configure SELinux/AppArmor policies to deny bpf operations

🧯 If You Can't Patch

Restrict local user access to systems, especially on s390x architecture
Implement strict privilege separation and limit which users can execute BPF-related operations

🔍 How to Verify

Check if Vulnerable:

Check kernel version and architecture: uname -r and uname -m. If on s390x architecture with affected kernel version, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits: grep -q '7ded842b356d151ece8ac4985940438e6d3998bb\|c3062bdb859b6e2567e7f5c8cde20c0250bb130f' /proc/version_signature || echo 'Check kernel source'

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs mentioning BPF or s390/bpf
System crash dumps with stack traces involving bpf_struct_ops_test_run or bpf_jit_plt

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("panic" OR "Oops") AND ("bpf" OR "s390")

📊 Metadata

CVE ID: CVE-2024-35917

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: May 19, 2024

Last Updated: September 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35917, you might also want to check these: