CVE-2024-42151
📋 TL;DR
A Linux kernel BPF subsystem vulnerability where the verifier could incorrectly optimize away NULL pointer checks in certain BPF programs, potentially leading to kernel NULL pointer dereference. This affects systems running vulnerable Linux kernel versions with BPF enabled. The vulnerability requires local access or ability to load BPF programs.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially allowing local privilege escalation if combined with other vulnerabilities.
Likely Case
System crash or instability when specific BPF programs are loaded, resulting in denial of service for affected systems.
If Mitigated
No impact if BPF is disabled or proper kernel patches are applied.
🎯 Exploit Status
Exploitation requires ability to load BPF programs (typically requires CAP_BPF or root privileges). The vulnerability is in the BPF verifier logic during program validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees via git commits: 1479eaff1f16983d8fda7c5a08a586c21891087d and 7f79097b0de97a486b137b750d7dd7b20b519d23
Vendor Advisory: https://git.kernel.org/stable/c/1479eaff1f16983d8fda7c5a08a586c21891087d
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from distribution vendor. 2. Rebuild kernel if using custom kernel with patches. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable BPF subsystem
linuxDisable BPF functionality to prevent loading of vulnerable BPF programs
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
sysctl -w kernel.unprivileged_bpf_disabled=1
Restrict BPF capabilities
linuxLimit which users can load BPF programs using Linux capabilities
setcap -r /path/to/binary
Remove CAP_BPF from non-essential processes
🧯 If You Can't Patch
- Implement strict BPF program allowlisting to control which programs can be loaded
- Monitor system logs for BPF program loading attempts and kernel panic events
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if BPF subsystem is enabled: cat /proc/sys/kernel/unprivileged_bpf_disabledCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or check with distribution's security advisory📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- BPF program loading failures
- NULL pointer dereference in kernel logs
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "BPF" OR "kernel panic")