CVE-2024-26591: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26591 is a vulnerability in the Linux kernel's BPF subsystem, specifically in the bpf_tracing_prog_attach function. The vulnerability was discovered in January 2024 and affects multiple versions of the Linux kernel up to versions 5.15.148, 6.1.75, 6.6.14, and 6.7.2. The issue occurs during the re-attachment process of BPF programs (Kernel Patch).

The vulnerability manifests as a NULL pointer dereference in the bpf_tracing_prog_attach function when handling program re-attachment. The issue occurs in a specific sequence: 1) loading a rawtp program, 2) loading an fentry program with rawtp as target_fd, 3) creating a tracing link for fentry program with target_fd = 0, and 4) repeating step 3. This leads to a situation where prog->aux->dst_trampoline is NULL, tgt_prog is NULL, and prog->aux->attach_btf is NULL. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a kernel crash due to the NULL pointer dereference, resulting in a denial of service condition. The impact is limited to availability with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been patched in the Linux kernel with a fix that adds validation for attach_btf before allowing re-attachment. The patch returns -EINVAL when attempting re-attachment without valid attach_btf. Users should update their Linux kernel to versions that include this fix (Kernel Patch).