Researchers have uncovered a critical vulnerability in the Linux kernel’s TCP subsystem, identified as CVE-2024-36904.
This flaw, introduced seven years ago, allows attackers to exploit a use-after-free condition, potentially leading to remote code execution (RCE).
The vulnerability stems from a race condition in the inet_twsk_hashdance() function, where improper reference counter initialization creates opportunities for memory corruption.
Exploitability and Impact
The vulnerability arises when a time-wait TCP socket’s reference counter is initialized after being added to a hash table and releasing its lock.
If another operation accesses the socket before initialization, it encounters a zeroed reference counter.
This triggers warnings from the kernel’s reference counter protection mechanisms and can lead to a real use-after-free scenario under specific conditions.
Such scenarios could allow attackers to execute arbitrary code within the kernel, compromising system integrity.
Although the Linux kernel includes safeguards to detect reference counter anomalies, this flaw bypasses those protections under certain execution sequences.
The vulnerability affects multiple Linux distributions, including Red Hat Enterprise Linux derivatives and Fedora.
Testing on recent kernels like version 6.8 confirmed the issue persists across various environments.
Discovery
The flaw was discovered during routine vulnerability research by Allele Security using tools like the Syzkaller fuzzer.
Initially mistaken for an issue related to the KCM protocol, further analysis revealed it as a distinct bug in the TCP subsystem.
The vulnerability was reported upstream and patched in May 2024. However, many distributions had not integrated the fix into their latest releases at the time of discovery.
The patch addresses the issue by ensuring proper synchronization during reference counter initialization, preventing race conditions that could lead to use-after-free scenarios.
Administrators are urged to update their systems immediately with kernel versions containing the patched code.
Distributions like Red Hat and Fedora have released updates addressing this vulnerability.
Users should verify their systems are running patched kernels to mitigate potential exploitation risks.
This discovery highlights the importance of proactive vulnerability research and timely patch application in maintaining secure Linux environments.
As open-source software continues to evolve, rigorous auditing and rapid response remain critical in safeguarding against emerging threats.
