PT-2024-33987 · Linux+11 · Linux Kernel+11

Martin Kafai Lau

·

Published

2024-10-15

·

Updated

2026-01-13

·

CVE-2024-50154

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61
Description: A use-after-free vulnerability was reported in the Linux kernel's TCP timer handling. The issue occurs when the req->sk is closed before the timer expiration, which is 63 seconds by default. This can happen in a scenario where inet csk complete hashdance() calls inet csk reqsk queue drop(), but del timer sync() is missed, allowing the reqsk timer to continue running and sending multiple SYN+ACKs until it expires. The vulnerability can be exploited by attaching a BPF program to trace tcp retransmit synack, which passes the req->sk to the bpf sk storage get tracing kernel helper.
Recommendations: To resolve the issue, update the Linux kernel to version 6.6.61 or later. As a temporary workaround, consider disabling the bpf sk storage get tracing function until a patch is available. Restrict access to the vulnerable reqsk queue unlink function to minimize the risk of exploitation. Avoid using the timer pending() function in reqsk queue unlink() until the issue is resolved.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2025:0578
ALSA-2025:11455
ALSA-2025:11456
ALSA-2025_11455
ALSA-2025_11456
ALSA-2025_11861
ALSA-2025_12746
ALSA-2025_12752
ALSA-2025_12753
ALSA-2025_16880
ALT-PU-2024-15251
ALT-PU-2024-17211
ALT-PU-2025-12647
AZL-52967
AZL-52987
BDU:2025-03473
CESA-2025_11455
CESA-2025_11456
CVE-2024-50154
DLA-4008-1
DLA-4178-1
INFSA-2025_0578
INFSA-2025_11455
INFSA-2025_11456
MGASA-2024-0368
MGASA-2024-0369
OESA-2024-2424
OESA-2024-2425
OESA-2024-2426
OESA-2024-2492
OESA-2024-2495
OPENSUSE-SU-2024:14500-1
OPENSUSE-SU-2024_4313-1
OPENSUSE-SU-2024_4314-1
OPENSUSE-SU-2024_4315-1
OPENSUSE-SU-2024_4316-1
OPENSUSE-SU-2024_4346-1
OPENSUSE-SU-2024_4376-1
OPENSUSE-SU-2025:14705-1
OPENSUSE-SU-2025_0117-1
OPENSUSE-SU-2025_0153-1
OPENSUSE-SU-2025_0154-1
OPENSUSE-SU-2025_0201-1
OPENSUSE-SU-2025_0203-1
OPENSUSE-SU-2025_0229-1
RHSA-2025:0578
RHSA-2025:11455
RHSA-2025:11456
RHSA-2025:1658
RHSA-2025_0578
RHSA-2025_11455
RHSA-2025_11456
SUSE-SU-2024:4313-1
SUSE-SU-2024:4314-1
SUSE-SU-2024:4315-1
SUSE-SU-2024:4316-1
SUSE-SU-2024:4317-1
SUSE-SU-2024:4318-1
SUSE-SU-2024:4345-1
SUSE-SU-2024:4346-1
SUSE-SU-2024:4364-1
SUSE-SU-2024:4367-1
SUSE-SU-2024:4376-1
SUSE-SU-2024:4387-1
SUSE-SU-2024:4388-1
SUSE-SU-2025:0035-1
SUSE-SU-2025:0117-1
SUSE-SU-2025:0153-1
SUSE-SU-2025:0154-1
SUSE-SU-2025:0201-1
SUSE-SU-2025:0201-2
SUSE-SU-2025:0203-1
SUSE-SU-2025:0229-1
SUSE-SU-2025:0231-1
SUSE-SU-2025:0289-1
SUSE-SU-2025:03465-1
SUSE-SU-2025:03468-1
SUSE-SU-2025:03482-1
SUSE-SU-2025:03494-1
SUSE-SU-2025:03503-1
SUSE-SU-2025:03514-1
SUSE-SU-2025:03539-1
SUSE-SU-2025:03548-1
SUSE-SU-2025:03553-1
SUSE-SU-2025:03557-1
SUSE-SU-2025:03566-1
SUSE-SU-2025:03580-1
SUSE-SU-2025:20163-1
SUSE-SU-2025:20164-1
SUSE-SU-2025:20165-1
SUSE-SU-2025:20166-1
SUSE-SU-2025:20246-1
SUSE-SU-2025:20247-1
SUSE-SU-2025:20248-1
SUSE-SU-2025:20249-1
SUSE-SU-2025:20806-1
SUSE-SU-2025:20819-1
SUSE-SU-2025:20832-1
SUSE-SU-2025:20833-1
SUSE-SU-2025:20840-1
SUSE-SU-2025:20841-1
SUSE-SU-2025:4123-1
SUSE-SU-2025_0201-1
SUSE-SU-2025_0201-2
SUSE-SU-2025_0203-1
USN-7276-1
USN-7277-1
USN-7288-1
USN-7288-2
USN-7289-1
USN-7289-2
USN-7289-3
USN-7289-4
USN-7291-1
USN-7305-1
USN-7308-1
USN-7310-1
USN-7331-1
USN-7388-1
USN-7389-1
USN-7390-1
USN-7449-1
USN-7449-2
USN-7450-1
USN-7451-1
USN-7452-1
USN-7453-1
USN-7458-1
USN-7468-1
USN-7523-1
USN-7524-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu