CVE-2024-57982

HIGH EPSS 11.9%
Published Feb 27, 20251y ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Feb 27, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
11.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 2

VendorProductVersionRange
linuxlinux_kernel*≥4.9  –  <6.12.13
linuxlinux_kernel*≥6.13  –  <6.13.2

References 4

  • git.kernel.org https://git.kernel.org/stable/c/a16871c7832ea6435abb6e0b58289ae7dcb7e4fc
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b86dc510308d7a8955f3f47a4fea4bef887653e4
  • git.kernel.org https://git.kernel.org/stable/c/dd4c2a174994238d55ab54da2545543d36f4e0d0
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/e952837f3ddb0ff726d5b582aa1aad9aa38d024d
    Mailing ListPatch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/a16871c7832ea6435abb6e0b58289ae7dcb7e4fc
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/dd4c2a174994238d55ab54da2545543d36f4e0d0
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/e952837f3ddb0ff726d5b582aa1aad9aa38d024d
    Mailing ListPatch