Vulnerability DatabaseCVE-2024-35896

CVE-2024-35896:
Linux Kernel vulnerability analysis and mitigation

Overview

CVE-2024-35896 is a vulnerability in the Linux kernel's netfilter component that affects the validation of user input for expected length. The vulnerability was discovered when multiple syzbot reports showed old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt"). The issue was identified in May 2024 and affects Linux kernel versions from 2.6.12 up to versions before 5.10.215, 5.15.154, 6.1.85, 6.6.26, and 6.8.5 (NVD).

Technical details

The vulnerability stems from improper validation of the setsockopt() @optlen argument before copying data. This results in a slab-out-of-bounds condition in the netfilter component, specifically in the copyfromsockptroffset and copyfrom_sockptr functions. The issue manifests as a KASAN (Kernel Address Sanitizer) error when attempting to read 96 bytes at an invalid address, indicating a buffer overflow condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

Impact

The vulnerability can lead to a slab-out-of-bounds read in the Linux kernel's netfilter component. This could potentially result in information disclosure and system crashes, affecting the confidentiality and availability of the system. The high CVSS score indicates significant potential impact, particularly in terms of confidentiality and availability breaches (NVD).

Mitigation and workarounds

The vulnerability has been fixed in the Linux kernel through patches that validate user input for expected length. The fix has been backported to multiple stable kernel versions. Users are advised to update their systems to patched versions: Linux kernel versions 5.10.215, 5.15.154, 6.1.85, 6.6.26, or 6.8.5 and later. The fix involves adding proper length validation before copying data in the netfilter component (Kernel Patch).

Community reactions

The vulnerability has been acknowledged by major Linux distributions and security teams. Red Hat has included the fix in their security advisories, and Debian has addressed it in their LTS security updates. The fix has been reviewed and approved by kernel maintainers, including Pablo Neira Ayuso (Debian LTS, Red Hat Advisory).

Additional resources

Source: This report was generated using AI

7.1

Score

Published May 19, 2024

Severity HIGH

CNA Score N/A

Affected Technologies

Linux Kernel
Rocky Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 13.3

Exploitation Probability (EPSS) N/A

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Aug 11, 2024
- AlmaLinux 9 Severity HIGHHas FixAdded at: Nov 04, 2024
Debian Security Tracker
- Debian 10, 11, 12, 13 Severity HIGHHas FixAdded at: May 20, 2024
Photon Security Advisory
- Photon 4.0 Severity HIGHHas FixAdded at: Jan 19, 2025
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: May 21, 2024
- Red Hat 8 Severity MEDIUMHas FixAdded at: May 21, 2024
- Red Hat 9 Severity MEDIUMHas FixAdded at: May 21, 2024
Rocky Linux Product Errata
- Rocky 8 Severity HIGHHas FixAdded at: Aug 25, 2024
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04 Severity MEDIUMHas FixAdded at: Oct 10, 2024
- Ubuntu 20.04, 22.04, 24.04 Severity MEDIUMHas FixAdded at: Jul 02, 2024