CVE-2024-44974 in Linuxinfo

Summary

by MITRE • 09/04/2024

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: avoid possible UaF when selecting endp

select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free.

A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/21/2026

The vulnerability described in CVE-2024-44974 resides within the Linux kernel's Multipath TCP implementation, specifically within the path management subsystem. This issue manifests as a use-after-free condition that occurs during the selection of local and signal addresses for multipath TCP connections. The problem is particularly significant because it affects the core networking functionality that enables high-performance, reliable data transmission across multiple network paths simultaneously. The vulnerability impacts systems utilizing the Multipath TCP protocol, which is increasingly deployed in high-bandwidth applications such as video streaming, large file transfers, and enterprise networking solutions where connection reliability and performance are paramount.

The technical flaw occurs in the mptcp subsystem where the functions select_local_address() and select_signal_address() operate within RCU (Read-Copy-Update) protected sections to select endpoint entries from a list. While these functions correctly identify and return references to endpoint entries, the design creates a dangerous scenario where the returned references may become invalid after the RCU lock is released. The RCU mechanism is designed to allow concurrent readers without blocking writers, but when references to data structures are returned from within protected sections and subsequently accessed outside those sections, it creates a window where the referenced memory could be freed and reallocated. This violates fundamental memory safety principles and creates a potential attack vector where malicious actors could exploit the dangling pointer to execute arbitrary code or cause system instability.

The operational impact of this vulnerability extends beyond simple system crashes or hangs, as it represents a critical security risk that could be exploited to compromise system integrity. When the endpoint entries are dereferenced after the RCU unlock, the system may attempt to access memory that has already been freed, potentially leading to kernel memory corruption, privilege escalation, or denial of service conditions. The vulnerability is particularly concerning in server environments where multipath TCP is actively used, as it could allow attackers to destabilize network services or potentially gain elevated privileges within the kernel space. The risk is amplified because the exploit would require minimal privileges and could be triggered through normal network operations involving multipath TCP connections, making it difficult to detect and prevent through conventional network monitoring approaches.

The solution implemented addresses the root cause by ensuring that all required information is copied while still within the RCU protected section, eliminating the possibility of accessing freed memory later. This approach aligns with established security practices for handling RCU-protected data structures and follows the principle of least privilege in memory management. The fix specifically targets the address ID modification scenario that may need to be handled later, suggesting that the implementation maintains flexibility for future enhancements while ensuring immediate safety. This mitigation strategy prevents the use-after-free condition by ensuring that any data referenced after the RCU lock is released is already safely copied and independent of the original data structure. The solution is consistent with CWE-416, which addresses use-after-free vulnerabilities, and follows ATT&CK technique T1068, which covers local privilege escalation through kernel exploits, by preventing the conditions that could enable such attacks. Organizations should prioritize applying this patch to all systems running Linux kernels with multipath TCP support, particularly those in high-security environments where network reliability and kernel-level integrity are critical requirements.

Responsible

Linux

Reservation

08/21/2024

Disclosure

09/04/2024

Moderation

accepted

CPE

ready

EPSS

0.00272

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!