CVE-2024-43870
📋 TL;DR
A memory leak vulnerability in the Linux kernel's perf subsystem allows attackers to cause resource exhaustion by preventing proper cleanup of performance monitoring events during task exit. This affects all Linux systems using the perf subsystem, particularly those running untrusted code or workloads.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential privilege escalation through memory corruption side effects.
Likely Case
Local denial of service through gradual memory consumption, potentially causing system slowdowns or crashes over time.
If Mitigated
Minimal impact with proper resource limits and monitoring in place; isolated to individual processes.
🎯 Exploit Status
Requires local access and ability to trigger perf events; timing-dependent race condition makes reliable exploitation challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 05d3fd599594abf79aad4484bccb2b26e1cb0b51, 2fd5ad3f310de22836cdacae919dd99d758a1f1b, 3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a, 67fad724f1b568b356c1065d50df46e6b30eb2f7, 70882d7fa74f0731492a0d493e8515a4f7131831
Vendor Advisory: https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable perf subsystem
linuxPrevents exploitation by disabling the vulnerable subsystem
echo 0 > /proc/sys/kernel/perf_event_paranoid
kernel.perf_event_paranoid=3 in /etc/sysctl.conf
Restrict perf access
linuxLimit which users can access perf events
sysctl -w kernel.perf_event_paranoid=2
chmod 750 /proc/sys/kernel/perf_event_paranoid
🧯 If You Can't Patch
- Implement strict resource limits (ulimit, cgroups) to contain memory consumption
- Monitor system memory usage and perf event counts for abnormal patterns
🔍 How to Verify
Check if Vulnerable:
Check kernel version against distribution security advisories; examine if perf events show abnormal refcounts during process exitCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits; test perf event cleanup during rapid process creation/termination📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about event refcount mismatches
- Abnormal memory consumption in /proc/meminfo
- Perf subsystem errors in dmesg
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("perf_event" OR "event refcount" OR "WARN")🔗 References
- https://git.kernel.org/stable/c/05d3fd599594abf79aad4484bccb2b26e1cb0b51
- https://git.kernel.org/stable/c/2fd5ad3f310de22836cdacae919dd99d758a1f1b
- https://git.kernel.org/stable/c/3d7a63352a93bdb8a1cdf29606bf617d3ac1c22a
- https://git.kernel.org/stable/c/67fad724f1b568b356c1065d50df46e6b30eb2f7
- https://git.kernel.org/stable/c/70882d7fa74f0731492a0d493e8515a4f7131831
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
