CVE-2024-38574
📋 TL;DR
A null-pointer dereference vulnerability in the Linux kernel's libbpf library allows local attackers to cause denial of service (system crash) when loading BPF programs without BTF information. This affects systems using libbpf to load BPF programs, particularly through tools like bpftool. The vulnerability requires local access to trigger.
💻 Affected Systems
- Linux kernel with libbpf
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local denial of service causing kernel panic or system crash, potentially leading to service disruption and data loss.
Likely Case
Local denial of service affecting specific BPF program loading operations, causing application crashes (like bpftool) but not full system crashes.
If Mitigated
No impact if systems don't use libbpf to load BPF programs without BTF information or have patched kernels.
🎯 Exploit Status
Exploitation requires local access and ability to load BPF programs. The vulnerability is straightforward to trigger by loading BPF programs without BTF information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 1fd91360a75833b7110af9834ae26c977e1273e0 or 9bf48fa19a4b1d186e08b20bf7e5de26a15644fb
Vendor Advisory: https://git.kernel.org/stable/c/1fd91360a75833b7110af9834ae26c977e1273e0
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Avoid loading BPF programs without BTF
linuxEnsure all BPF programs loaded via libbpf include BTF information
Restrict BPF program loading
linuxUse kernel.sysctl or seccomp to restrict BPF program loading to trusted users
sysctl -w kernel.unprivileged_bpf_disabled=1
🧯 If You Can't Patch
- Restrict BPF program loading capabilities to trusted users only
- Monitor for crashes in BPF-related tools and applications
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if libbpf is used to load BPF programs. Test by attempting to load a BPF program without BTF information using bpftool.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits. Test loading BPF programs without BTF information - should not crash.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- Segmentation fault errors in bpftool or libbpf applications
- System crash/reboot events
SIEM Query:
event.category:process AND process.name:bpftool AND event.outcome:failure🔗 References
- https://git.kernel.org/stable/c/1fd91360a75833b7110af9834ae26c977e1273e0
- https://git.kernel.org/stable/c/9bf48fa19a4b1d186e08b20bf7e5de26a15644fb
- https://git.kernel.org/stable/c/ef80b59acfa4dee4b5eaccb15572b69248831104
- https://git.kernel.org/stable/c/1fd91360a75833b7110af9834ae26c977e1273e0
- https://git.kernel.org/stable/c/9bf48fa19a4b1d186e08b20bf7e5de26a15644fb
- https://git.kernel.org/stable/c/ef80b59acfa4dee4b5eaccb15572b69248831104
