CVE-2024-40958: netns: Make get_net_ns() handle zero refcount net

Published Jul 12, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

netns: Make getnetns() handle zero refcount net

Syzkaller hit a warning: refcountt: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcountwarnsaturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcountwarnsaturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? showregs+0xa3/0xc0 ? warn+0xa5/0x1c0 ? refcountwarnsaturate+0xdf/0x1d0 ? reportbug+0x1fc/0x2d0 ? refcountwarnsaturate+0xdf/0x1d0 ? handlebug+0xa1/0x110 ? excinvalidop+0x3c/0xb0 ? asmexcinvalidop+0x1f/0x30 ? warnprintk+0xcc/0x140 ? warnprintk+0xd5/0x140 ? refcountwarnsaturate+0xdf/0x1d0 getnetns+0xa4/0xc0 ? pfxgetnetns+0x10/0x10 openrelatedns+0x5a/0x130 tunchrioctl+0x1616/0x2370 ? sanitizercovtraceswitch+0x58/0xa0 ? sanitizercovtraceconstcmp2+0x1c/0x30 ? pfxtunchrioctl+0x10/0x10 tunchrioctl+0x2f/0x40 x64sysioctl+0x11b/0x160 x64syscall+0x1211/0x20d0 dosyscall64+0x9e/0x1d0 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIGRAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: paniconwarn set ...

This is trigger as below: ns0 ns1 tunsetiff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 putnet() //ref is 0 tunchrioctl() //TUNGETDEVNETNS net = devnet(tun->dev); openrelatedns(&net->ns, getnetns); //ns1 getnetns() getnet() //addition on 0

Use maybegetnet() in getnetns in case net's ref is zero to fix this

Other sources

Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in netnamespace.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.

IBM

Affected Software

23 affected componentsFixes available
Linux Linux kernel>=5.2<5.4.279
Linux Linux kernel>=5.5<5.10.221
Linux Linux kernel>=5.11<5.15.162
Linux Linux kernel>=5.16<6.1.96
Linux Linux kernel>=6.2<6.6.36
Linux Linux kernel>=6.7<6.9.7
Linux Linux kernel=6.10-rc1
Linux Linux kernel=6.10-rc2
Linux Linux kernel=6.10-rc3
Linux Linux kernel=6.10-rc4
redhat/kernel<5.4.279
5.4.279
redhat/kernel<5.10.221
5.10.221
redhat/kernel<5.15.162
5.15.162
redhat/kernel<6.1.96
6.1.96
redhat/kernel<6.6.36
6.6.36
redhat/kernel<6.9.7
6.9.7
redhat/kernel<6.10
6.10
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
debian/linux-6.1
6.1.129-1~deb11u1

Remediation

Patch Available

https://git.kernel.org/stable/c/1b631bffcb2c09551888f3c723f4365c91fe05ef

Patch Available

https://git.kernel.org/stable/c/2b82028a1f5ee3a8e04090776b10c534144ae77b

Patch Available

https://git.kernel.org/stable/c/3a6cd326ead7c8bb1f64486789a01974a9f1ad55

Patch Available

https://git.kernel.org/stable/c/3af28df0d883e8c89a29ac31bc65f9023485743b

Patch Available

https://git.kernel.org/stable/c/cb7f811f638a14590ff98f53c6dd1fb54627d940

Patch Available

https://git.kernel.org/stable/c/ef0394ca25953ea0eddcc82feae1f750451f1876

Patch Available

https://git.kernel.org/stable/c/ff960f9d3edbe08a736b5a224d91a305ccc946b0

Patch Available

https://git.kernel.org/linus/0c3e0e3bb623c3735b8c9ab8aa8332f944f83a9f

Patch Available

https://git.kernel.org/linus/ff960f9d3edbe08a736b5a224d91a305ccc946b0

Event History

Jul 12, 2024
CVE Published
via MITRE·12:32 PM
Data Sourced
via MITRE·12:32 PM
Description
Data Sourced
via NVD·01:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 27, 2025
Data Sourced
via Ubuntu·06:15 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-40958?

CVE-2024-40958 has been classified as a high severity vulnerability due to its potential to cause a use-after-free condition in the Linux kernel.

2

How do I fix CVE-2024-40958?

To fix CVE-2024-40958, update the Linux kernel to one of the fixed versions such as 5.4.279, 5.10.221, 5.15.162, 6.1.96, 6.6.36, or later.

3

Which Linux kernel versions are affected by CVE-2024-40958?

CVE-2024-40958 affects multiple Linux kernel versions, primarily those before 5.4.279, 5.10.221, 5.15.162, 6.1.96, and 6.6.36.

4

What impact could CVE-2024-40958 have on my system?

CVE-2024-40958 may lead to instability or crashes in the Linux kernel, potentially allowing unauthorized code execution or denial of service.

5

Is CVE-2024-40958 being actively exploited?

As of the latest reports, there are no confirmed cases of active exploitation specifically targeting CVE-2024-40958.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203