CVE-2024-49850 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos

In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference.

Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space.

Simplest reproducer is a program:

r0 = 0 exit

With a single relocation record:

.insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL,

See the link for original reproducer or next commit for a test case.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability identified as CVE-2024-49850 represents a critical null pointer dereference flaw within the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically affecting the handling of malformed BPF_CORE_TYPE_ID_LOCAL relocation records. This issue resides in the bpf_core_calc_relo_insn function which processes relocation information during BPF program loading and execution. The flaw occurs when a BPF program attempts to reference a non-existent BTF (BPF Type Format) type through a relocation record, creating a scenario where the kernel fails to validate the existence of the referenced type before attempting to access it, leading to potential system instability and denial of service conditions.

The technical implementation of this vulnerability stems from inadequate input validation within the BPF core subsystem, where user-space provided relocation records are not sufficiently verified before being processed. When a BPF program contains a relocation record with kind BPF_CORE_TYPE_ID_LOCAL referencing a type_id that does not exist in the BTF type table, the kernel's relocation processing logic fails to detect this invalid reference and proceeds with attempting to dereference a null pointer. This particular flaw manifests when processing a simple BPF program with a single instruction that exits, combined with a malformed relocation record specifying a non-existent type ID of 100500. The vulnerability operates at the intersection of kernel memory management and BPF program validation, creating a path where untrusted input from user space can directly impact kernel memory structures.

The operational impact of CVE-2024-49850 extends beyond simple denial of service scenarios to potentially enable more sophisticated attack vectors within the kernel's BPF subsystem. This vulnerability can be exploited by malicious actors to cause system crashes, leading to denial of service conditions that affect network operations and system stability. The flaw exists in the kernel's BPF JIT (Just-In-Time) compilation and relocation processing pipeline, where malformed relocation records bypass proper validation checks. According to CWE classification, this represents a CWE-476: NULL Pointer Dereference, while the ATT&CK framework would categorize this under T1059.007: Command and Scripting Interpreter - Python, though the actual exploitation occurs at the kernel level rather than through user-space scripting. The vulnerability affects systems running Linux kernel versions that include the BPF subsystem with BTF support, particularly those implementing BPF program loading and relocation processing capabilities.

The mitigation strategy for CVE-2024-49850 involves implementing proper input validation at the upper levels of the call stack, specifically ensuring that BPF relocation records are validated before being passed to the bpf_core_calc_relo_insn function. The fix requires adding checks to verify the existence of referenced BTF types before processing relocation records, preventing the propagation of malformed records from user space into kernel memory management operations. System administrators should ensure their Linux kernel installations are updated with patches addressing this vulnerability, particularly those containing the fix that adds proper type existence verification in the relocation processing pipeline. Organizations should also implement monitoring for unusual BPF program loading activities and consider restricting BPF program capabilities in environments where untrusted code execution is possible. The vulnerability highlights the importance of robust input validation in kernel subsystems and demonstrates how seemingly benign user-space inputs can lead to critical kernel-level failures, emphasizing the need for comprehensive security testing of kernel subsystems that process external inputs.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00207

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!