CVE-2024-56569
📋 TL;DR
A null pointer dereference vulnerability in the Linux kernel's ftrace subsystem allows local attackers to crash the kernel by writing a malformed module filter command to stack_trace_filter. This affects systems with ftrace enabled and where attackers have write access to the tracing debug filesystem. Kernel crashes lead to denial of service.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attacker with write access to /sys/kernel/tracing/stack_trace_filter causes kernel panic, resulting in system crash and denial of service.
Likely Case
Local user or process with debugging privileges triggers kernel crash, causing system instability or downtime.
If Mitigated
With proper access controls on debugfs and limited user privileges, impact is minimal as only authorized users can trigger the vulnerability.
🎯 Exploit Status
Exploitation requires local access and appropriate permissions to write to debugfs. No authentication bypass needed beyond existing file permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check kernel commits: 19cacabdd5a8487ae566cbecb4d03bcb038a067e, 43ca32ce12888fb0eeb2d74dfc558dea60d3473e, 45af52e7d3b8560f21d139b3759735eead8b1653, 5dabb7af57bc72308a6e2e81a5dd756eef283803, 7ae27880de3482e063fcc1f72d9a298d0d391407
Vendor Advisory: https://git.kernel.org/stable/c/19cacabdd5a8487ae566cbecb4d03bcb038a067e
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Restrict debugfs access
linuxLimit write access to /sys/kernel/tracing/stack_trace_filter to prevent unauthorized users from triggering the vulnerability
chmod 600 /sys/kernel/tracing/stack_trace_filter
chown root:root /sys/kernel/tracing/stack_trace_filter
Disable ftrace if not needed
linuxDisable kernel tracing functionality to eliminate the attack surface
echo 0 > /sys/kernel/tracing/tracing_on
🧯 If You Can't Patch
- Implement strict access controls on /sys/kernel/tracing directory
- Monitor for unauthorized access attempts to debugfs and kernel panic events
🔍 How to Verify
Check if Vulnerable:
Check if echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter causes kernel issues (CAUTION: may crash system)Check Version:
uname -rVerify Fix Applied:
After patching, attempt the vulnerable command and verify system remains stable📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- Null pointer dereference errors in kernel logs
- Unauthorized access attempts to /sys/kernel/tracing/
Network Indicators:
- None - local vulnerability only
SIEM Query:
search 'kernel panic' OR 'null pointer dereference' AND 'ftrace' OR 'stack_trace_filter'🔗 References
- https://git.kernel.org/stable/c/19cacabdd5a8487ae566cbecb4d03bcb038a067e
- https://git.kernel.org/stable/c/43ca32ce12888fb0eeb2d74dfc558dea60d3473e
- https://git.kernel.org/stable/c/45af52e7d3b8560f21d139b3759735eead8b1653
- https://git.kernel.org/stable/c/5dabb7af57bc72308a6e2e81a5dd756eef283803
- https://git.kernel.org/stable/c/7ae27880de3482e063fcc1f72d9a298d0d391407
- https://git.kernel.org/stable/c/885109aa0c70639527dd6a65c82e63c9ac055e3d
- https://git.kernel.org/stable/c/8a92dc4df89c50bdb26667419ea70e0abbce456e
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
