Tuesday, March 18, 2025
HomeCyber Security NewsPoC Exploit Released for Linux Kernel Use-After-Free Vulnerability

PoC Exploit Released for Linux Kernel Use-After-Free Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

A proof-of-concept (PoC) exploit has been released for a use-after-free vulnerability in the Linux kernel, identified as CVE-2024-36904.

This vulnerability is located in the TCP subsystem of the Linux kernel and is caused by the inet_twsk_hashdance() function inserting the time-wait socket into the established hash table before setting its reference counter.

CVE Overview

CVE-2024-36904 affects the Linux kernel by allowing an attacker to exploit a use-after-free condition, which can potentially lead to arbitrary code execution or denial-of-service attacks.

The vulnerability was discovered during an investigation that involved creating a modified kernel with KASAN (Kernel Address Sanitizer) enabled to confirm the presence of a real use-after-free issue.

Affected Systems

The vulnerability was tested on systems running Alma Linux 9 with kernel version 5.14.0-362.24.2.el9_3.x86_64, but it is likely that other versions of the Linux kernel are also affected if they have not been patched.

The vulnerability was fixed in Red Hat Enterprise Linux 9 on kernel version 5.14-427.26.1 as of July 16, 2024.

Proof of Concept (PoC) Code

For those interested in testing the vulnerability, a PoC exploit named CVE-2024-36904-trigger is available.

To test the vulnerability with KASAN enabled, you will need to apply a patch to the kernel and then build it. Here are the steps to apply the patch:

  1. Install necessary packages:
    You will need flex, bison, elfutils-libelf-devel, openssl-devel, bc, perl, and dwarves installed to build the kernel.
  2. Apply the patch:
cd kernels/linux-5.14.0-362.24.1.el9_3/

patch -n1 < ../mdelay_remove_rcu_flag.patch
  1. Build the kernel:
cp ../linux-5.14.0-362.24.1.el9_3-RESEARCH-KASAN/.config .config

make oldconfig

make -j `nproc`

make -j `nproc` modules_install install

Running the Trigger

To run the trigger and observe the KASAN splat when using the modified kernel, execute the following command in a loop:

while true; do ./CVE-2024-36904-trigger; done

This command will continuously execute the trigger, which should cause the KASAN splat to appear in the kernel ring buffer within a short period when using the modified kernel.

CVE-2024-36904 highlights the importance of timely patching and testing of Linux kernel vulnerabilities.

As Linux distributions continue to update their kernels to address such vulnerabilities, ensuring that your system is updated is crucial for maintaining security.

Users and organizations should keep their Linux kernels up-to-date to protect against exploits targeting this and other vulnerabilities.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...