PT-2024-30744 · Linux+2 · Linux Kernel+2

Published

2024-08-01

Updated

2025-01-09

CVE-2024-43887

CVSS v3.1

4.7

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.10.0

Description The vulnerability is related to the TCP-AO static key in the Linux kernel. The lifetime of the TCP-AO static key is the same as the last tcp ao info. When the socket is destroyed, tcp ao info ceases to be with the RCU grace period, while the TCP-AO static branch is currently deferred destructed. This can cause other CPUs to see tcp ao info which is dead but soon-to-be, breaking the assumption of static key fast inc not disabled(). The issue is not theoretical and has been observed on the netdev test-bot.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BDU:2025-08026

CVE-2024-43887

USN-7154-1

USN-7154-2

USN-7155-1

USN-7156-1

USN-7196-1

Affected Products

Linuxmint

Linux Kernel

Ubuntu

PT-2024-30744 · Linux+2 · Linux Kernel+2

CVE-2024-43887

Weakness Enumeration

Related Identifiers

Affected Products

References · 639