Cyber Resilience

CVE-2024-57982

High

Published: 27 February 2025

Published
27 February 2025
Modified
11 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0001 1.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57982 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2024-57982 is an out-of-bounds read vulnerability in the Linux kernel's xfrm subsystem, specifically during xfrm state lookup operations. The issue arises from a race condition where lookup and resize (rehash) can execute in parallel, causing hash functions to observe a state_hmask value that exceeds the size of the new hlist array in net->xfrm.state_bydst. This affects the xfrm_state_hash_generation seqlock mechanism, which normally ensures retries but fails to guarantee consistency between the pointer updates and hmask in RCU contexts.

A local attacker with low privileges can exploit this vulnerability without user interaction. Successful exploitation triggers an out-of-bounds read, potentially leading to high confidentiality impact through information disclosure or high availability impact via denial of service, such as kernel crashes. The CVSS 3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) reflects these characteristics, with no integrity impact.

Mitigation requires applying upstream kernel patches, as detailed in the referenced commits: a16871c7832ea6435abb6e0b58289ae7dcb7e4fc, b86dc510308d7a8955f3f47a4fea4bef887653e4, dd4c2a174994238d55ab54da2545543d36f4e0d0, and e952837f3ddb0ff726d5b582aa1aad9aa38d024d. These fixes prefetch state_hmask and associated pointers before use, leverage the seqlock for consistency, add lockdep assertions to existing helpers like xfrm_dst_hash() for insert-side safety only, and note that xfrm_state_lookup_byaddr() should transition to RCU in future updates.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that…

more

is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local low-priv kernel OOB read enables info disclosure (credential access) and DoS via exploitation; commonly chained for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23076Same product: Linux Linux Kernel
CVE-2025-71136Same product: Linux Linux Kernel
CVE-2025-71101Same product: Linux Linux Kernel
CVE-2026-31528Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel
CVE-2026-31779Same product: Linux Linux Kernel
CVE-2026-43051Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.9 — 6.12.13 · 6.13 — 6.13.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, prioritizing, and applying patches to remediate the out-of-bounds read race condition in the Linux kernel's xfrm state lookup.

detect

Supports vulnerability scanning to identify systems affected by CVE-2024-57982 based on kernel versions prior to the patching commits.

detect

Enables monitoring of system behavior to detect exploitation attempts resulting in kernel crashes or information disclosure from xfrm operations.

References