Cyber Resilience

CVE-2024-58060

High

Published: 06 March 2025

Published
06 March 2025
Modified
21 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-58060 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-58060 is a Use After Free vulnerability (CWE-416) in the Linux kernel's BPF subsystem, specifically within bpf_struct_ops registration. The issue arises when CONFIG_MODULES=n, causing the BTF ID for the "struct module" type to be missing, as indicated by the warning "resolve_btfids: unresolved symbol module." This affects struct_ops types that include a "struct module *owner" member, such as tcp_congestion_ops, leading to incorrect refcounting in bpf_try_module_get() and subsequent use-after-free conditions. Not all struct_ops are impacted, for example, sched_ext_ops lacks this member.

A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low attack complexity and no user interaction (AC:L/UI:N), achieving high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8, S:U). Exploitation involves registering a BPF struct_ops program that triggers the faulty refcounting, potentially resulting in kernel memory corruption, arbitrary code execution, or denial of service.

Kernel patches mitigate the issue by rejecting BPF struct_ops registration if the type includes a "struct module *" member and the "struct module" BTF ID is missing. The fix incorporates the btf_type_is_fwd() helper into btf.h for testing and is available in stable kernel trees via commits such as 2324fb4e92092837ee278fdd8d60c48ee1a619ce, 96ea081ed52bf077cad6d00153b6fba68e510767, and b777b14c2a4a4e2322daf8e8ffd42d2b88831b17. The patch targets bpf-next, with a Fixes tag on a recent commit, noting the issue's age since bpf_struct_ops inception and rarity of CONFIG_MODULES=n configurations.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on…

more

tcp_congestion_ops that has a "struct module *owner" member. For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing: WARN: resolve_btfids: unresolved symbol module Thus, the bpf_try_module_get() cannot do the correct refcounting. Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops. This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test. This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a local use-after-free in the Linux kernel BPF subsystem exploitable by low-privileged attackers for arbitrary code execution and kernel corruption, directly enabling privilege escalation via T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.9 — 6.12.13 · 6.13 — 6.13.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the UAF vulnerability by requiring timely application of the kernel patch that rejects BPF struct_ops registration when struct module BTF ID is missing.

prevent

Enforces validation of BPF struct_ops inputs prior to registration to block those with missing struct module BTF ID, preventing incorrect refcounting and subsequent UAF.

prevent

Implements memory protection mechanisms like kernel address randomization to mitigate exploitation impacts of UAF in the BPF subsystem.

References