CVE-2024-57982
Published: 27 February 2025
Summary
CVE-2024-57982 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, prioritizing, and applying patches to remediate the out-of-bounds read race condition in the Linux kernel's xfrm state lookup.
Supports vulnerability scanning to identify systems affected by CVE-2024-57982 based on kernel versions prior to the patching commits.
Enables monitoring of system behavior to detect exploitation attempts resulting in kernel crashes or information disclosure from xfrm operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv kernel OOB read enables info disclosure (credential access) and DoS via exploitation; commonly chained for privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that…
more
is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.
Deeper analysisAI
CVE-2024-57982 is an out-of-bounds read vulnerability in the Linux kernel's xfrm subsystem, specifically during xfrm state lookup operations. The issue arises from a race condition where lookup and resize (rehash) can execute in parallel, causing hash functions to observe a state_hmask value that exceeds the size of the new hlist array in net->xfrm.state_bydst. This affects the xfrm_state_hash_generation seqlock mechanism, which normally ensures retries but fails to guarantee consistency between the pointer updates and hmask in RCU contexts.
A local attacker with low privileges can exploit this vulnerability without user interaction. Successful exploitation triggers an out-of-bounds read, potentially leading to high confidentiality impact through information disclosure or high availability impact via denial of service, such as kernel crashes. The CVSS 3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) reflects these characteristics, with no integrity impact.
Mitigation requires applying upstream kernel patches, as detailed in the referenced commits: a16871c7832ea6435abb6e0b58289ae7dcb7e4fc, b86dc510308d7a8955f3f47a4fea4bef887653e4, dd4c2a174994238d55ab54da2545543d36f4e0d0, and e952837f3ddb0ff726d5b582aa1aad9aa38d024d. These fixes prefetch state_hmask and associated pointers before use, leverage the seqlock for consistency, add lockdep assertions to existing helpers like xfrm_dst_hash() for insert-side safety only, and note that xfrm_state_lookup_byaddr() should transition to RCU in future updates.
Details
- CWE(s)