CVE-2024-49864 – A race condition vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2024-49864?

CVE-2024-49864 has a CVSS score of 4.7 (MEDIUM). A race condition vulnerability in the Linux kernel's rxrpc subsystem allows packets to be processed before the I/O thread is fully initialized, potentially causing a kernel oops (crash). This affects systems using the AF_RXRPC socket implementation for remote procedure calls. The vulnerability can lead to denial of service but does not allow arbitrary code execution.

📋 TL;DR

A race condition vulnerability in the Linux kernel's rxrpc subsystem allows packets to be processed before the I/O thread is fully initialized, potentially causing a kernel oops (crash). This affects systems using the AF_RXRPC socket implementation for remote procedure calls. The vulnerability can lead to denial of service but does not allow arbitrary code execution.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but patches are available in stable kernel trees. Likely affects versions where rxrpc_open_socket() has the race condition.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if AF_RXRPC (CONFIG_AF_RXRPC) is enabled and used. Many distributions may not enable this by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.

🟠

Likely Case

System instability or crash when AF_RXRPC sockets are actively used, resulting in temporary service disruption.

🟢

If Mitigated

Minimal impact if AF_RXRPC is not used or if packets are dropped during the race window.

🌐 Internet-Facing: LOW - AF_RXRPC is typically used for internal RPC communication, not directly internet-exposed services.

🏢 Internal Only: MEDIUM - Systems using AF_RXRPC for internal communication could experience crashes affecting dependent services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering the race condition by sending packets at the precise moment between socket setup and I/O thread creation. This is timing-dependent and may be difficult to reliably achieve.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees via provided git commits (e.g., 56e415202b8a17de6496f4023e545fcb66f118ec).

Vendor Advisory: https://git.kernel.org/stable/c/56e415202b8a17de6496f4023e545fcb66f118ec

Restart Required: Yes

Instructions:

1. Update Linux kernel to a patched version from your distribution's repository. 2. Reboot the system to load the new kernel.

🔧 Temporary Workarounds

Disable AF_RXRPC module

linux

Prevent loading of the vulnerable rxrpc kernel module if not required.

echo 'install rxrpc /bin/true' >> /etc/modprobe.d/disable-rxrpc.conf
rmmod rxrpc

🧯 If You Can't Patch

Ensure AF_RXRPC is not in use by checking active sockets and disabling the module.
Implement network segmentation to restrict access to systems using AF_RXRPC, reducing attack surface.

🔍 How to Verify

Check if Vulnerable:

Check if AF_RXRPC is enabled and in use: 'lsmod | grep rxrpc' and 'ss -a | grep rxrpc'. If the module is loaded or sockets exist, the system may be vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the patched commits: 'uname -r' and check with distribution vendor for patch inclusion.

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages in /var/log/kern.log or dmesg output related to rxrpc or general protection faults.

Network Indicators:

Unexpected UDP packets to ports associated with AF_RXRPC services (typically not standard ports).

SIEM Query:

source="kern.log" AND "rxrpc" AND ("Oops" OR "general protection fault")

📊 Metadata

CVE ID: CVE-2024-49864

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-362

Published: October 21, 2024

Last Updated: November 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49864, you might also want to check these: