CVE-2024-58060 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2024-58060?

CVE-2024-58060 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's BPF subsystem allows attackers to cause memory corruption when registering struct_ops with module pointers in kernels compiled without module support (CONFIG_MODULES=n). This affects Linux systems with BPF enabled that are built without module support, potentially leading to kernel crashes or privilege escalation.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's BPF subsystem allows attackers to cause memory corruption when registering struct_ops with module pointers in kernels compiled without module support (CONFIG_MODULES=n). This affects Linux systems with BPF enabled that are built without module support, potentially leading to kernel crashes or privilege escalation.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions with affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when kernel is compiled with CONFIG_MODULES=n (module support disabled) and BPF struct_ops functionality is used. Most production kernels have CONFIG_MODULES=y.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation to root if an attacker can trigger the use-after-free condition to execute arbitrary code in kernel context.

🟠

Likely Case

Kernel crash or instability when BPF programs attempt to register struct_ops with module pointers on CONFIG_MODULES=n kernels.

🟢

If Mitigated

No impact if kernel is compiled with module support (CONFIG_MODULES=y) or if affected BPF functionality is disabled.

🌐 Internet-Facing: LOW - Requires local access or ability to load BPF programs, which typically requires elevated privileges.

🏢 Internal Only: MEDIUM - Local attackers with CAP_BPF or root access could potentially exploit this to crash systems or escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to load BPF programs (typically requires CAP_BPF or root), and knowledge of triggering the specific struct_ops registration path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 2324fb4e9209, 96ea081ed52b, or b777b14c2a4a

Vendor Advisory: https://git.kernel.org/stable/c/2324fb4e92092837ee278fdd8d60c48ee1a619ce

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.

🔧 Temporary Workarounds

Disable BPF struct_ops

all

Prevent registration of BPF struct_ops that could trigger the vulnerability

sysctl -w kernel.bpf_struct_ops=0

Ensure CONFIG_MODULES=y

all

Rebuild kernel with module support enabled to avoid the vulnerable code path

Check /boot/config-$(uname -r) for CONFIG_MODULES=y

🧯 If You Can't Patch

Restrict BPF program loading to trusted users only using capabilities or SELinux/AppArmor policies
Monitor for suspicious BPF program loading attempts and kernel panic events

🔍 How to Verify

Check if Vulnerable:

Check if kernel has CONFIG_MODULES=n and is vulnerable to CVE-2024-58060 by examining kernel version and checking if patch commits are present

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits: grep -q '2324fb4e9209\|96ea081ed52b\|b777b14c2a4a' /proc/version || uname -r

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
BPF registration failures in dmesg
Use-after-free warnings in kernel logs

SIEM Query:

source="kernel" AND ("panic" OR "UAF" OR "use-after-free" OR "bpf_struct_ops")

📊 Metadata

CVE ID: CVE-2024-58060

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.07% exploit probability (22.2th percentile)

Published: March 6, 2025

Last Updated: March 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58060, you might also want to check these: