CVE-2024-58060
Published: 06 March 2025
Summary
CVE-2024-58060 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-58060 is a Use After Free vulnerability (CWE-416) in the Linux kernel's BPF subsystem, specifically within bpf_struct_ops registration. The issue arises when CONFIG_MODULES=n, causing the BTF ID for the "struct module" type to be missing, as indicated by the warning "resolve_btfids: unresolved symbol module." This affects struct_ops types that include a "struct module *owner" member, such as tcp_congestion_ops, leading to incorrect refcounting in bpf_try_module_get() and subsequent use-after-free conditions. Not all struct_ops are impacted, for example, sched_ext_ops lacks this member.
A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low attack complexity and no user interaction (AC:L/UI:N), achieving high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8, S:U). Exploitation involves registering a BPF struct_ops program that triggers the faulty refcounting, potentially resulting in kernel memory corruption, arbitrary code execution, or denial of service.
Kernel patches mitigate the issue by rejecting BPF struct_ops registration if the type includes a "struct module *" member and the "struct module" BTF ID is missing. The fix incorporates the btf_type_is_fwd() helper into btf.h for testing and is available in stable kernel trees via commits such as 2324fb4e92092837ee278fdd8d60c48ee1a619ce, 96ea081ed52bf077cad6d00153b6fba68e510767, and b777b14c2a4a4e2322daf8e8ffd42d2b88831b17. The patch targets bpf-next, with a Fixes tag on a recent commit, noting the issue's age since bpf_struct_ops inception and rarity of CONFIG_MODULES=n configurations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54024
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on…
more
tcp_congestion_ops that has a "struct module *owner" member. For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing: WARN: resolve_btfids: unresolved symbol module Thus, the bpf_try_module_get() cannot do the correct refcounting. Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops. This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test. This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local use-after-free in the Linux kernel BPF subsystem exploitable by low-privileged attackers for arbitrary code execution and kernel corruption, directly enabling privilege escalation via T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the UAF vulnerability by requiring timely application of the kernel patch that rejects BPF struct_ops registration when struct module BTF ID is missing.
Enforces validation of BPF struct_ops inputs prior to registration to block those with missing struct module BTF ID, preventing incorrect refcounting and subsequent UAF.
Implements memory protection mechanisms like kernel address randomization to mitigate exploitation impacts of UAF in the BPF subsystem.