A critical vulnerability designated CVE-2024-53141 has been discovered in the Linux kernel’s ipset subsystem, potentially allowing attackers to achieve arbitrary code execution through out-of-bounds memory write operations.
The vulnerability affects the bitmap:ip implementation within the Netfilter framework, enabling attackers with sufficient privileges to corrupt kernel memory structures and escalate privileges to root access.
Vulnerability Overview
The security flaw resides in the bitmap_ip_uadt function located in net/netfilter/ipset/ip_set_bitmap_ip.c, where inadequate boundary validation occurs during CIDR (Classless Inter-Domain Routing) range processing.
When adding IP address ranges to bitmap:ip sets using CIDR notation, the kernel fails to properly validate that calculated IP addresses remain within the defined bitmap boundaries.
The vulnerability manifests when an attacker specifies a CIDR value that causes the ip_set_mask_from_to function to calculate IP ranges extending below the bitmap’s first_ip value.
Unlike the explicit IP-to-IP range validation path, the CIDR processing branch lacks critical boundary checks, enabling integer underflow conditions that result in out-of-bounds memory access.
Technical Impact and Exploitation
Security researchers have demonstrated that successful exploitation enables attackers to overwrite arbitrary kernel memory locations through carefully crafted IPSET extension data.
The vulnerability provides a write primitive that can corrupt critical kernel data structures, including the core_pattern system configuration, which controls how the kernel handles core dumps.
The exploitation technique involves creating multiple bitmap:ip sets to establish predictable memory layouts, then triggering the vulnerability through malicious CIDR specifications.
Attackers can leverage the extension fields (skbmark, skbprio, bytes, packets) to control both the target memory location and written data values.
| Component | Details |
|---|---|
| CVE ID | CVE-2024-53141 |
| Affected Versions | Up to commit 041bd1e4 in Torvalds’ Linux kernel |
| Latest Affected | Linux kernel 6.12.2 |
| Subsystem | netfilter/ipset bitmap:ip |
| Attack Vector | Local privilege escalation |
| Patch Commit | 35f56c554eb1b56b77b3cf197a6b00922d49033d |
Patch Implementation
The Linux kernel maintainers have released a patch addressing the vulnerability by consolidating boundary validation logic.
The fix moves the first_ip validation outside the IP-to-IP range conditional block, ensuring that both explicit range specifications and CIDR-calculated ranges undergo proper boundary verification.
The patch modifies the validation logic from if (ip_to > map->last_ip) to if (ip < map->first_ip || ip_to > map->last_ip), providing a comprehensive range validation regardless of how the IP addresses were calculated.
Mitigation Recommendations
Organizations should immediately apply the available kernel patches to affected systems.
The vulnerability requires local access with capabilities to interact with the netfilter subsystem, typically requiring CAP_NET_ADMIN privileges or equivalent access.
System administrators should audit user privilege assignments and implement the principle of least privilege to minimize exposure risk.
Security teams should monitor for unusual IPset operations and consider implementing additional access controls around netfilter configuration capabilities until patches can be deployed across all affected systems.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerability affects the bitmap:ip implementation within the Netfilter framework, enabling attackers with sufficient privileges to corrupt kernel memory structures and escalate privileges to root access.){kind=link}