CVE-2024-50154

Summary

CVE-2024-50154 is a vulnerability affecting the Linux kernel that stems from the use of timer_pending() in reqsk_queue_unlink(). This function was introduced in a commit to fix a potential deadlock, but it created a small race window. Before the timer is called, expire_timers() clears timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP may miss del_timer_sync(), causing the reqsk timer to continue running and sending multiple SYN+ACKs until it expires. This issue could lead to a use-after-free condition if req->sk is closed earlier than the timer expiration, which is 63 seconds by default. To mitigate this vulnerability, the recommended solution is to pass the caller context to __inet_csk_reqsk_queue_drop() instead of using timer_pending(). It is important to note that this issue only affects reqsk timers that are pinned and does not occur in most use cases. The vulnerability was reported by Martin KaFai Lau and was identified during a kernel fencing analysis.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.