CVE-2024-47794
📋 TL;DR
A Linux kernel vulnerability in the BPF subsystem allows an infinite loop when using tail calls with freplace programs, leading to kernel panic and denial of service. This affects systems running vulnerable Linux kernel versions with BPF functionality enabled. Attackers with CAP_BPF or root privileges can trigger this condition.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic causing complete system crash and denial of service, potentially leading to data loss or service disruption.
Likely Case
Local denial of service through kernel panic, requiring system reboot to recover.
If Mitigated
No impact if BPF functionality is disabled or proper kernel hardening prevents untrusted BPF program loading.
🎯 Exploit Status
Requires ability to load BPF programs with specific tailcall/freplace configurations. Demonstrated in kernel selftests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 987aa730bad3e1ef66d9f30182294daa78f6387d and d6083f040d5d8f8d748462c77e90547097df936e
Vendor Advisory: https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable BPF functionality
linuxPrevent loading of BPF programs by disabling BPF subsystem
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
sysctl -w kernel.unprivileged_bpf_disabled=1
Restrict BPF program loading
linuxLimit which users can load BPF programs using capabilities
setcap -r /path/to/binary
Remove CAP_BPF from non-essential users/processes
🧯 If You Can't Patch
- Implement strict capability controls to prevent untrusted users from loading BPF programs
- Monitor system logs for kernel panic events and implement automated alerting
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with patched versions containing the fix commitsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits: 987aa730bad3e1ef66d9f30182294daa78f6387d and d6083f040d5d8f8d748462c77e90547097df936e📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- BPF program loading failures
- System crash/reboot events
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "BPF")