CVE-2024-49940 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

l2tp: prevent possible tunnel refcount underflow

When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped.

Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel.

If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/18/2026

The vulnerability described in CVE-2024-49940 represents a critical race condition within the Linux kernel's Layer 2 Tunneling Protocol version 2 implementation that could lead to kernel memory corruption and potential privilege escalation. This issue specifically affects the l2tp subsystem where improper handling of reference counting during session creation and registration processes creates a window of opportunity for malicious actors to exploit. The vulnerability stems from a fundamental flaw in the synchronization between session and tunnel reference counting mechanisms, creating a scenario where a tunnel's reference count could be decremented below zero, resulting in undefined behavior and potential system instability.

The technical root cause lies in the improper ordering of operations during L2TP session creation and registration. When a new session is created, the system establishes a backpointer from the session to its corresponding tunnel before incrementing the tunnel's reference count. This sequence creates a temporal gap where session->tunnel points to a valid tunnel structure while the tunnel's reference count remains unchanged, allowing for potential concurrent access scenarios. The vulnerability manifests when multiple threads or processes attempt to manipulate session and tunnel references simultaneously, particularly during the brief window between session creation and registration. According to CWE-362, this represents a race condition vulnerability that directly impacts the integrity of reference counting mechanisms, while the ATT&CK framework would categorize this under privilege escalation through kernel memory corruption techniques.

The operational impact of this vulnerability extends beyond simple system instability to potentially enable arbitrary code execution within kernel space. When the tunnel reference count underflows, it can cause memory corruption that may allow attackers to manipulate kernel data structures, leading to privilege escalation or denial of service conditions. The vulnerability is particularly concerning because it affects the core networking functionality of Linux systems that utilize L2TPv3 tunnels, which are commonly deployed in enterprise environments for secure remote access and virtual private network implementations. The race condition particularly affects systems running kernel versions where the l2tp_v3_session_get function can retrieve sessions before their tunnel backpointers are properly initialized, creating a scenario where concurrent access to uninitialized data structures could result in memory corruption.

The fix for CVE-2024-49940 addresses the core synchronization issue by reordering the assignment of tunnel backpointers to occur within the l2tp_session_register function rather than l2tp_session_create. This change ensures that the tunnel reference count is properly incremented before any session attempts to reference it, eliminating the race condition window. Additionally, the patch modifies l2tp_session_set_header_len to accept an explicit encap parameter instead of relying on the session's tunnel backpointer, removing the dependency on potentially uninitialized tunnel references. The solution also includes defensive programming measures to check for cases where l2tp_v3_session_get might retrieve sessions that haven't yet had their tunnel backpointers set, preventing access to uninitialized memory structures. This approach aligns with secure coding practices recommended by both CWE guidelines and industry best practices for kernel development, ensuring proper resource management and synchronization across concurrent access scenarios. The mitigation strategy effectively prevents the reference count underflow while maintaining the functional integrity of the L2TP implementation across all supported kernel versions.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00204

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!