CVE-2024-47710 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
sock_map: Add a cond_resched() in sock_hash_free()
Several syzbot soft lockup reports all have in common sock_hash_free()
If a map with a large number of buckets is destroyed, we need to yield the cpu when needed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability identified as CVE-2024-47710 resides within the Linux kernel's socket mapping subsystem, specifically affecting the sock_hash_free() function that handles cleanup operations for socket hash maps. This issue manifests as a potential system hang or soft lockup condition during the destruction of socket hash maps containing a large number of buckets. The problem stems from insufficient CPU yield mechanisms during the memory deallocation process, which can cause the kernel to monopolize processor resources and prevent other critical system operations from executing properly. The vulnerability was discovered through syzbot automated testing which identified consistent soft lockup patterns associated with sock_hash_free() operations, indicating a systemic performance degradation issue rather than a simple memory corruption flaw.
The technical root cause involves the absence of proper scheduling hints within the sock_hash_free() function when processing large-scale socket hash maps. When a socket map with numerous buckets is being destroyed, the cleanup routine executes in a tight loop without yielding control to the kernel scheduler. This behavior violates fundamental kernel design principles that require periodic CPU relinquishment during lengthy operations to prevent system unresponsiveness. The missing cond_resched() call represents a critical oversight in the kernel's resource management strategy, as it fails to implement the necessary cooperative multitasking mechanisms that would allow other processes to execute during the cleanup phase. This flaw directly maps to CWE-704, which addresses improper use of kernel scheduling primitives, and demonstrates poor adherence to kernel development best practices regarding resource management and system responsiveness.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially compromising system stability and availability. During high-load scenarios where socket hash maps are frequently created and destroyed, particularly in network-intensive applications or services handling thousands of concurrent connections, the system may experience complete unresponsiveness. This condition can lead to service outages, application timeouts, and in severe cases, complete system lockups that require manual intervention or reboot. The vulnerability affects systems running Linux kernels that implement the socket map functionality, particularly those utilizing eBPF (extended Berkeley Packet Filter) programs that rely on socket hash maps for network traffic management and filtering. Attackers could potentially exploit this weakness to conduct denial-of-service attacks against systems running vulnerable kernel versions, making it a significant concern for network infrastructure and cloud computing environments.
Mitigation strategies for CVE-2024-47710 should focus on implementing the missing cond_resched() call within the sock_hash_free() function as part of kernel patching procedures. System administrators should prioritize updating to kernel versions that include the fix, which typically involves applying the specific patch that introduces periodic CPU yielding during large-scale socket map destruction operations. Organizations running critical infrastructure should conduct thorough testing of kernel updates in staging environments before deployment to ensure compatibility with existing network services and applications. Monitoring systems should be enhanced to detect potential soft lockup conditions related to socket map operations, particularly during peak network traffic periods. The fix aligns with ATT&CK technique T1499.004, which involves resource exhaustion through kernel-level manipulation, and represents a preventive measure against such attacks by ensuring proper kernel scheduling behavior during resource cleanup operations. Additionally, system administrators should consider implementing resource limits and monitoring for socket map usage patterns to identify potential exploitation attempts and maintain overall system health.