CVE-2024-44934
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's bridge multicast implementation allows an attacker to potentially crash the system or execute arbitrary code. This affects systems using bridge networking with multicast enabled. The vulnerability occurs when a port is removed while garbage collection timers are still running.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential arbitrary code execution with kernel privileges leading to complete system compromise.
Likely Case
System crash or kernel panic causing denial of service on affected systems.
If Mitigated
Limited impact if bridge networking and multicast are disabled or if systems are patched.
🎯 Exploit Status
Exploitation requires local access and specific conditions (bridge networking with multicast). The race condition makes reliable exploitation challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 0d8b26e10e680c01522d7cc14abe04c3265a928f, 1e16828020c674b3be85f52685e8b80f9008f50f, 92c4ee25208d0f35dafc3213cdf355fbe449e078, b2f794b168cf560682ff976b255aa6d29d14a658, e3145ca904fa8dbfd1a5bf0187905bc117b0efce
Vendor Advisory: https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Disable bridge multicast
linuxDisable multicast on bridge interfaces to prevent the vulnerable code path
echo 0 > /sys/class/net/br0/bridge/multicast_snooping
ip link set dev br0 type bridge mcast_snooping 0
Remove bridge interfaces
linuxRemove bridge networking if not required
ip link delete br0
brctl delbr br0
🧯 If You Can't Patch
- Disable bridge networking entirely if not required
- Ensure no bridge interfaces have multicast enabled
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if bridge interfaces exist with multicast enabled: 'uname -r' and 'ip link show type bridge'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and check for bridge interfaces: 'cat /sys/class/net/br0/bridge/multicast_snooping' should show 0 if disabled📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN use-after-free reports in dmesg
- Bridge interface removal errors
Network Indicators:
- Unexpected bridge interface disappearance
- Multicast traffic disruption
SIEM Query:
source="kernel" AND ("KASAN" OR "use-after-free" OR "br_multicast")🔗 References
- https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f
- https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f
- https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078
- https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658
- https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
