CVE-2024-40954
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's networking subsystem where socket creation failure leaves a dangling pointer. Attackers can exploit this to cause kernel memory corruption, potentially leading to system crashes or privilege escalation. Systems running vulnerable Linux kernel versions with BPF/eBPF capabilities are affected.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential privilege escalation allowing attackers to execute arbitrary code with kernel privileges.
Likely Case
System instability, crashes, or denial of service when specific network operations trigger the vulnerable code path.
If Mitigated
Minimal impact if kernel hardening features like KASAN, KPTI, or SMAP/SMEP are enabled and properly configured.
🎯 Exploit Status
Exploitation requires ability to load BPF programs (typically requires CAP_BPF or root privileges) and trigger specific network operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 454c454ed645fed051216b79622f7cb69c1638f5, 5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9, 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2, 78e4aa528a7b1204219d808310524344f627d069, 893eeba94c40d513cd0fe6539330ebdaea208c0e
Vendor Advisory: https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable BPF system call
linuxPrevents loading of BPF programs that could trigger the vulnerability
sysctl -w kernel.unprivileged_bpf_disabled=1
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
Restrict BPF capabilities
linuxLimit which users can load BPF programs using Linux capabilities
setcap -r /usr/bin/bpftool
capsh --drop=cap_bpf -- -c 'your_command'
🧯 If You Can't Patch
- Implement strict BPF program loading restrictions using Linux capabilities
- Enable kernel hardening features like KASAN, KPTI, and SMAP/SMEP to reduce exploit impact
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if BPF is enabled: uname -r && grep CONFIG_BPF_SYSCALL /boot/config-$(uname -r)Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r should show version after fix commits were merged📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN reports of use-after-free in sock_gen_cookie or __sock_release
- System crashes during network operations
Network Indicators:
- Unusual traceroute or socket creation patterns from single source
- Multiple failed socket creation attempts
SIEM Query:
source="kernel" AND ("KASAN: slab-use-after-free" OR "BUG: KASAN" OR "sock_gen_cookie" OR "__sock_release")🔗 References
- https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5
- https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9
- https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2
- https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069
- https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e
- https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5
- https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9
- https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2
- https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069
- https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
