CVE-2024-56664: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56664 is a race condition vulnerability discovered in the Linux kernel's BPF sockmap implementation. The issue specifically involves a race between element replace and close() operations in the sockmap functionality. The vulnerability was disclosed on December 27, 2024, affecting Linux kernel versions from 4.20 up to versions before 6.6.67, and from 6.7 up to versions before 6.12.6 (NVD).

The vulnerability occurs in the Linux kernel's sockmap functionality where a race condition exists between element replacement and socket closure operations. The issue manifests when element replace (with a socket different from the one stored) races with socket's close() link popping and unlinking. The _sockmap_delete() function unconditionally unrefs the wrong element, leading to potential use-after-free conditions. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can result in use-after-free conditions and reference counting issues in the kernel. When exploited, it can lead to kernel memory corruption, potentially causing system crashes or enabling privilege escalation. The issue is particularly evidenced by KASAN splats and refcount_t warnings during exploitation (Kernel Patch).

The vulnerability has been fixed in the Linux kernel through patches that modify the _sockmapdelete() function to prevent sockmap_unref() on elements that may have been replaced. The fix has been backported to various stable kernel versions. Users are advised to upgrade to Linux kernel versions 6.6.67, 6.12.6, or later that contain the fix (Kernel Patch).