CVE-2024-36918 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

bpf: Check bloom filter map value size

This patch adds a missing check to bloom filter creating, rejecting values above KMALLOC_MAX_SIZE. This brings the bloom map in line with many other map types.

The lack of this protection can cause kernel crashes for value sizes that overflow int's. Such a crash was caught by syzkaller. The next patch adds more guard-rails at a lower level.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/18/2025

The vulnerability identified as CVE-2024-36918 affects the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically targeting bloom filter map implementations. This issue represents a critical memory management flaw that could lead to system instability and potential denial of service conditions. The vulnerability resides in how the kernel handles memory allocation for bloom filter maps, where insufficient validation allows for potentially dangerous value sizes to be processed without proper bounds checking. The problem manifests when the kernel attempts to create bloom filter maps with values exceeding the KMALLOC_MAX_SIZE threshold, which can result in kernel crashes and system instability.

The technical flaw stems from the absence of proper size validation during bloom filter map creation processes. When the kernel processes bloom filter map operations, it fails to validate that the value size parameter remains within acceptable bounds defined by KMALLOC_MAX_SIZE. This missing validation creates a path where malicious or malformed inputs can cause integer overflow conditions that ultimately lead to kernel memory corruption. The vulnerability specifically impacts the bpf subsystem's memory allocation mechanisms, where the lack of bounds checking allows for oversized allocations that can overwhelm kernel memory management structures. The issue was identified through automated testing conducted by syzkaller, a sophisticated kernel fuzzer that systematically tests kernel code paths for potential vulnerabilities.

The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling more sophisticated attack vectors within kernel space. When the bloom filter map creation process encounters values that exceed KMALLOC_MAX_SIZE, the kernel's memory management subsystem becomes unstable, leading to unpredictable behavior and system crashes. This instability can be exploited by attackers to cause denial of service conditions that may persist until system reboot. The vulnerability's exploitation could also potentially lead to privilege escalation opportunities, as kernel memory corruption often presents pathways for attackers to gain elevated privileges. The flaw affects systems running Linux kernels that implement eBPF functionality with bloom filter maps, particularly those that process user-supplied data through kernel interfaces.

The mitigation strategy for this vulnerability involves implementing proper bounds checking during bloom filter map creation, ensuring that all value sizes remain within the KMALLOC_MAX_SIZE limits. This patch aligns the bloom filter map implementation with other map types in the kernel, establishing consistent validation mechanisms across different map implementations. The fix addresses the root cause by adding explicit size validation checks that prevent oversized allocations from being processed. Organizations should apply the kernel updates containing this patch immediately to protect against potential exploitation. Additionally, system administrators should monitor for any signs of kernel instability or unexpected crashes that might indicate attempted exploitation of this vulnerability. The fix also incorporates additional guard-rails at lower system levels to prevent similar issues from occurring in other kernel subsystems, following the principle of defense in depth. This vulnerability demonstrates the importance of comprehensive input validation in kernel code and aligns with CWE-129, which addresses improper validation of length of buffers, and relates to ATT&CK technique T1068, which covers exploit for privilege escalation through kernel vulnerabilities.

Sources

Want to know what is going to be exploited?

We predict KEV entries!