CVE-2024-26613 in Linux
Summary
by MITRE • 03/11/2024
In the Linux kernel, the following vulnerability has been resolved:
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
Syzcaller UBSAN crash occurs in rds_cmsg_recv(), which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1),
but with array size of 4 (RDS_RX_MAX_TRACES). Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from
trace.rx_trace_pos[i] in rds_recv_track_latency(),
with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the off-by-one bounds check in rds_recv_track_latency() to prevent a potential crash in rds_cmsg_recv().
Found by syzcaller: ================================================================= UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 index 4 is out of range for type 'u64 [4]'
CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x160 net/socket.c:1066 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 __do_sys_recvfrom net/socket.c:2264 [inline]
__se_sys_recvfrom net/socket.c:2260 [inline]
__x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b ==================================================================
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/12/2026
The vulnerability described represents a critical buffer overflow condition within the Linux kernel's Reliable Datagram Sockets (RDS) implementation, specifically in the rds_cmsg_recv function. This issue manifests as an out-of-bounds array access that can lead to system instability and potential exploitation. The flaw occurs when processing received messages with latency tracing enabled, where the indexing logic fails to properly account for array boundaries during message handling operations.
The technical root cause stems from a mismatch between array dimensions and indexing operations within the RDS subsystem's latency tracking mechanism. The crash occurs in net/rds/recv.c at line 585 where inc->i_rx_lat_trace[j + 1] attempts to access index 4 of an array that only contains 4 elements, with indices ranging from 0 to 3. This misalignment results from how trace.rx_trace_pos[i] values are assigned to rs->rs_rx_trace[i], which then gets used as the loop variable j in rds_cmsg_recv(). The underlying arrays involved have different sizing constraints, with trace.rx_trace_pos[i] and rs->rs_rx_trace[i] being limited to 3 elements each, while the target array i_rx_lat_trace is sized for 4 elements.
This vulnerability directly maps to CWE-129, which describes improper validation of array index bounds, and aligns with ATT&CK technique T1068 by potentially enabling privilege escalation through kernel memory corruption. The issue demonstrates a classic off-by-one error that can be exploited by malicious actors to cause denial of service or potentially achieve code execution within kernel space.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential pathway for attackers to exploit kernel memory corruption in network communication stacks. When the RDS subsystem processes messages with latency tracing enabled, particularly under stress conditions where multiple concurrent connections are established, the probability of triggering this condition increases significantly. The UBSAN (Undefined Behavior Sanitizer) detection mechanism correctly identifies this issue as an array index out-of-bounds access, providing early warning of the potential exploitability.
Mitigation strategies should focus on immediate kernel updates that address the bounds checking logic in rds_recv_track_latency() to ensure proper array indexing operations and prevent the overflow condition. System administrators should prioritize applying security patches from their distribution vendors, particularly those containing fixes for the RDS subsystem's latency tracking implementation. Additionally, monitoring for unusual network behavior or system instability related to RDS communications can help detect exploitation attempts. The fix requires careful attention to maintain compatibility with existing applications while ensuring robust bounds checking that prevents similar issues across all array access operations within the RDS message handling pipeline.
The vulnerability demonstrates how complex kernel subsystems require rigorous bounds validation, especially when dealing with dynamic tracing and monitoring capabilities. The interaction between multiple data structures with different sizing constraints creates opportunities for subtle programming errors that can result in critical security flaws. This particular case highlights the importance of thorough code review practices and automated testing mechanisms like UBSAN in identifying memory safety issues before they can be exploited in production environments.