CVE-2024-42246
📋 TL;DR
A Linux kernel vulnerability in the SUNRPC subsystem causes an infinite loop when a BPF program returns -EPERM during TCP connection setup. This can lead to system freezes and log flooding. Systems using SUNRPC with BPF programs on kernel_connect() are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel freezes completely, requiring hard reboot and causing denial of service on affected systems.
Likely Case
System logs fill up rapidly, potentially causing performance degradation and denial of service through resource exhaustion.
If Mitigated
Minimal impact if BPF programs don't trigger -EPERM or SUNRPC isn't used.
🎯 Exploit Status
Exploitation requires specific BPF program configuration and SUNRPC usage. More likely to be triggered accidentally than maliciously.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 02ee1976edb21a96ce8e3fd4ef563f14cc16d041, 5d8254e012996cee1a0f9cc920531cb7e4d9a011, 626dfed5fa3bfb41e0dffd796032b555b69f9cde, 934247ea65bc5eca8bdb7f8c0ddc15cef992a5d6, bc790261218952635f846aaf90bcc0974f6f62c6
Vendor Advisory: https://git.kernel.org/stable/c/02ee1976edb21a96ce8e3fd4ef563f14cc16d041
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable problematic BPF programs
linuxRemove or modify BPF programs that could return -EPERM on kernel_connect() calls
# Review and remove BPF programs using: bpftool prog list
# Or modify programs to avoid returning -EPERM
Monitor system logs
linuxSet up log rotation and monitoring to detect log flooding
# Configure logrotate: /etc/logrotate.conf
# Monitor syslog: tail -f /var/log/syslog
🧯 If You Can't Patch
- Avoid using BPF programs that could return -EPERM on SUNRPC connections
- Implement aggressive log rotation and monitoring for syslog flooding
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if SUNRPC with BPF programs returning -EPERM is in useCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the patch commits and test SUNRPC connections with BPF programs📡 Detection & Monitoring
Log Indicators:
- Rapid syslog filling with connection errors
- Repeated EPERM errors in kernel logs
Network Indicators:
- SUNRPC connection failures when BPF programs are active
SIEM Query:
source="kernel" AND "EPERM" AND "xs_tcp_setup_socket"🔗 References
- https://git.kernel.org/stable/c/02ee1976edb21a96ce8e3fd4ef563f14cc16d041
- https://git.kernel.org/stable/c/5d8254e012996cee1a0f9cc920531cb7e4d9a011
- https://git.kernel.org/stable/c/626dfed5fa3bfb41e0dffd796032b555b69f9cde
- https://git.kernel.org/stable/c/934247ea65bc5eca8bdb7f8c0ddc15cef992a5d6
- https://git.kernel.org/stable/c/bc790261218952635f846aaf90bcc0974f6f62c6
- https://git.kernel.org/stable/c/d6c686c01c5f12ff8f7264e0ddf71df6cb0d4414
- https://git.kernel.org/stable/c/f2431e7db0fe0daccb2f06bb0d23740affcd2fa6
- https://git.kernel.org/stable/c/f388cfd913a2b96c05339a335f365795db1b36b6
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
