CVE-2024-57900
Published: 15 January 2025
Summary
CVE-2024-57900 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57900 is a race condition vulnerability in the Linux kernel's ILA (Identifier Locator Addressing) module, specifically within the ila_add_mapping() function. It arises from concurrent calls to nf_register_net_hooks(), leading to a slab-use-after-free (CWE-416) in the rhashtable implementation, as detected by syzbot during IPv6 packet processing. The issue was triggered by simultaneous ILA_CMD_ADD commands and affects Linux kernels prior to the application of the fixing commits, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by issuing concurrent ILA_CMD_ADD commands, potentially racing to trigger the use-after-free during rhashtable lookups in ila_xlat_addr() invoked from the IPv6 input path (ipv6_rcv). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, denial of service via crash, or arbitrary code execution.
Mitigation is provided through stable kernel patches that introduce a mutex to serialize calls to nf_register_net_hooks(), ensuring at most one thread executes it at a time. Relevant commits include 1638f430f8900f2375f5de45508fbe553997e190, 17e8fa894345e8d2c7a7642482267b275c3d4553, 260466b576bca0081a7d4acecc8e93687aa22d0e, 3d1b63cf468e446b9feaf4e4e73182b9cc82f460, and ad0677c37c14fa28913daea92d139644d7acf04e, available in the Linux kernel stable repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53803
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we…
more
have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition directly enables exploitation for privilege escalation via arbitrary code execution in kernel space.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through application of stable kernel patches directly resolves the race condition in ila_add_mapping() by serializing nf_register_net_hooks() calls with a mutex.
Implementing least functionality by disabling or restricting the unnecessary ILA kernel module prevents execution of the vulnerable code path exposed to concurrent ILA_CMD_ADD commands.
Memory protection mechanisms like KASLR, SMAP, and slab allocators harden the kernel against exploitation of the use-after-free in rhashtable during ila_xlat_addr() lookups.