CVE-2024-58070
📋 TL;DR
This CVE addresses a race condition in the Linux kernel's BPF local storage subsystem when running with PREEMPT_RT (real-time) configuration. The vulnerability could cause kernel panics or system crashes when BPF programs attempt to allocate memory in atomic contexts. This affects Linux systems with CONFIG_PREEMPT_RT enabled running vulnerable kernel versions.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially disrupting critical real-time operations.
Likely Case
System instability or crashes when BPF programs are executed in PREEMPT_RT environments, causing service interruptions.
If Mitigated
Minimal impact if systems don't use PREEMPT_RT configuration or have patched kernels.
🎯 Exploit Status
Exploitation requires ability to load BPF programs (typically CAP_BPF or root privileges) and PREEMPT_RT configuration. More likely to be triggered accidentally than maliciously.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commit 3392fa605d7c5708c5fbe02e4fbdac547c3b7352 or later
Vendor Advisory: https://git.kernel.org/stable/c/3392fa605d7c5708c5fbe02e4fbdac547c3b7352
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. For distributions: Use package manager to update kernel package. 3. Rebuild kernel if using custom build. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable PREEMPT_RT configuration
linuxSwitch to standard kernel configuration without real-time patches
# Reconfigure kernel without CONFIG_PREEMPT_RT
# Requires kernel rebuild and reboot
Restrict BPF program loading
linuxLimit ability to load BPF programs to prevent triggering the vulnerability
# Set kernel.unprivileged_bpf_disabled=1
sysctl -w kernel.unprivileged_bpf_disabled=1
🧯 If You Can't Patch
- Disable BPF program loading for unprivileged users via sysctl
- Monitor system logs for kernel panic messages related to BPF local storage
🔍 How to Verify
Check if Vulnerable:
Check if CONFIG_PREEMPT_RT is enabled: grep CONFIG_PREEMPT_RT /boot/config-$(uname -r) or check kernel version against affected rangeCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commit: uname -r and check if version matches patched releases📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning bpf_local_storage, sleeping function called from invalid context, or spinlock_rt.c
Network Indicators:
- None - local vulnerability
SIEM Query:
source="kernel" AND ("bpf_local_storage" OR "sleeping function called from invalid context" OR "spinlock_rt.c")