CVE-2024-50085 in Linux
Summary
by MITRE • 10/29/2024
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow
Syzkaller reported this splat:
================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662
CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline]
mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg net/socket.c:744 [inline]
____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline]
tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline]
mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated---
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/21/2025
The vulnerability described in CVE-2024-50085 resides within the Multipath TCP (MPTCP) implementation of the Linux kernel, specifically in the policy manager netlink interface. This issue manifests as a use-after-free (UaF) condition in the function mptcp_pm_nl_rm_addr_or_subflow, which is responsible for handling removal of addresses or subflows within the MPTCP framework. The flaw was detected by the Syzkaller fuzzer, a tool designed to find kernel-level vulnerabilities through automated testing. The reported kernel stack trace indicates that a read operation attempts to access memory that was previously freed, leading to potential memory corruption and system instability. The error occurs at offset 0xb44 within the mptcp_pm_nl_rm_addr_or_subflow function, which is part of the net/mptcp/pm_netlink.c source file, suggesting that the issue originates in the handling of MPTCP netlink commands related to address or subflow management.
The technical root cause involves improper memory management within the MPTCP policy manager subsystem. When processing MPTCP netlink messages to remove addresses or subflows, the kernel fails to ensure that all references to freed memory structures are properly invalidated before subsequent access. The UaF condition arises during the execution of a sequence involving subflow creation and address management, where a memory allocation occurs in subflow_create_ctx, followed by operations that lead to the premature freeing of memory that is later accessed in mptcp_pm_nl_rm_addr_or_subflow. This type of vulnerability is classified under CWE-416, which describes the use of freed memory condition, a common class of memory safety issues that can lead to arbitrary code execution or denial of service. The vulnerability is particularly concerning because it involves the kernel's networking subsystem, where an attacker could potentially exploit it to gain unauthorized access or disrupt network operations.
The operational impact of this vulnerability extends to systems running Linux kernels with MPTCP enabled, particularly those that rely on multipath TCP for network connectivity. An attacker who successfully exploits this vulnerability could cause the kernel to crash or potentially execute arbitrary code with kernel privileges, depending on the specific memory corruption patterns. The risk is elevated in environments where MPTCP is actively used for high-performance networking or when systems are exposed to untrusted network input through MPTCP netlink interfaces. The vulnerability affects the broader MPTCP ecosystem, as it impacts the reliability and security of multipath TCP implementations, which are increasingly used in data centers, high-performance computing environments, and edge computing scenarios. According to the ATT&CK framework, this vulnerability could be leveraged for privilege escalation or denial of service through kernel memory corruption techniques, potentially enabling further exploitation within the system.
Mitigation strategies for CVE-2024-50085 include applying the latest kernel patches that address the memory management issue in the MPTCP policy manager. System administrators should prioritize updating their Linux kernels to versions that contain the fix for this vulnerability, particularly in production environments where MPTCP is actively used. Additionally, monitoring for unusual network behavior or kernel crashes that might indicate exploitation attempts should be implemented. The fix typically involves ensuring proper reference counting and memory invalidation in the MPTCP netlink handling code, preventing the access of freed memory structures. Organizations using custom kernel builds or embedded systems should verify that their MPTCP implementations include the necessary protections against this class of memory corruption. Network segmentation and access controls should also be maintained to limit exposure to potential attackers who might attempt to exploit this vulnerability through network-based attacks. The vulnerability underscores the importance of regular kernel updates and the need for robust memory safety practices in kernel subsystems, particularly in complex networking protocols like MPTCP that handle dynamic connection management.