Use-after-free vulnerability in the TCP subsystem of the Linux kernel – CVE-2024-36904

Title

Use-after-free vulnerability in the TCP subsystem of the Linux kernel.

IDENTIFIER(S)

CVE-2024-36904

Description

We discovered a use-after-free vulnerability in the core of the TCP subsystem of the Linux kernel. The vulnerability was introduced in Linux kernel version 4.16 in December 2017. It was fixed on Linux kernel version 6.9 in May 2024. The vulnerability is a reference counter issue involving TIME-WAIT sockets. This vulnerability is particularly notable as it allows the use-after-free condition to occur even on systems with a reference counter saturation mechanism present, thereby defeating the security mechanism.

References

Accidentally uncovering a seven years old vulnerability in the Linux kernel
https://allelesecurity.com/accidentally-uncovering-a-seven-years-old-vulnerability-in-the-linux-kernel/

CVE-2024-36904 – Use-after-free vulnerability in the TCP subsystem of the Linux kernel due to inet_twsk_hashdance() function inserting the time-wait socket into established hash table before setting its reference counter.
https://github.com/alleleintel/research/tree/master/CVE-2024-36904

tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2db7230f73a80dbb179deab78f88a7947f0ab7e

CVE-2024-36904: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
https://lore.kernel.org/linux-cve-announce/2024053036-CVE-2024-36904-2273@gregkh/T/#u