Security researchers have publicly released a proof-of-concept (PoC) exploit for CVE-2024-36904, a critical use-after-free vulnerability in the Linux kernel that has remained undetected for seven years.
The vulnerability, which affects the TCP subsystem, could potentially allow attackers to execute remote code with kernel privileges.
Use-after-free Linux Kernel Vulnerability
The flaw stems from a race condition in the inet_twsk_hashdance() function, where a time-wait TCP socket’s reference counter is initialized only after it has been inserted into a hash table and its lock released.
If another lookup occurs before this initialization completes, it can access an object with an uninitialized reference counter.
This vulnerability bypasses kernel safeguards under specific execution sequences. When the operations on the socket follow an exact sequence, the reference counter can become unbalanced, leading to genuine use-after-free exploitation.
The vulnerability carries a CVSS score of 7.0 (HIGH), indicating its significant potential impact.
| Risk Factors | Details |
| Affected Products | Red Hat Enterprise Linux 8/9AlmaLinux 9Rocky Linux 8SUSE Linux Enterprise productsAmazon Linux 2/2023NetApp AFF/FAS BMC (A700s, 8300/8700/A400/C400)NetApp E-Series SANtricity OS 11.xDell PowerProtect Cyber RecoveryDell Cloud Tiering Appliance |
| Impact | Arbitrary code execution in kernel contextPotential complete system compromise |
| Exploit Prerequisites | Local access to affected systemLow-level privileges |
| CVSS 3.1 Score | 7.0 (HIGH) |
PoC Exploit
The researchers explained their PoC: “In the original kernel version, the syzkaller reproducer takes many hours to trigger the reference counter warnings. In our experiments, it takes around 48 hours when running 6 parallel instances.”
For demonstration purposes, the team modified the kernel with KASAN enabled and removed the RCU flag of the TCP cache to trigger the KASAN splat (kernel crash report) in less than 30 minutes with their custom trigger:
Further, all experiments were conducted on Alma Linux 9 with kernel version 5.14.0-362.24.2.el9_3.x86_64, running as a virtual machine on VMware Workstation. The repository contains detailed instructions for applying the necessary patches:
This vulnerability affects numerous Linux distributions, including Red Hat Enterprise Linux derivatives and Fedora.
Numerous enterprise products, including NetApp systems, have been identified as vulnerable. The exploitation potential cannot be understated.
When successfully leveraged, this use-after-free condition could allow attackers to execute arbitrary code within the kernel context, potentially leading to complete system compromise.
Mitigations
The vulnerability was patched upstream in May 2024, but many distributions had not integrated the fix at the time of discovery.
For the Red Hat Enterprise Linux 9 ecosystem specifically, the vulnerability was fixed in kernel 5.14-427.26.1 on July 16, 2024.
Security experts strongly recommend immediate patching of all affected systems. System administrators should prioritize updating to the latest kernel versions containing the security patches to mitigate this long-standing vulnerability.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
