Cyber Security News

PoC Exploit Released for Linux Kernel Use-After-Free Vulnerability

A proof-of-concept (PoC) exploit has been released for a use-after-free vulnerability in the Linux kernel, identified as CVE-2024-36904.

This vulnerability is located in the TCP subsystem of the Linux kernel and is caused by the inet_twsk_hashdance() function inserting the time-wait socket into the established hash table before setting its reference counter.

CVE Overview

CVE-2024-36904 affects the Linux kernel by allowing an attacker to exploit a use-after-free condition, which can potentially lead to arbitrary code execution or denial-of-service attacks.

The vulnerability was discovered during an investigation that involved creating a modified kernel with KASAN (Kernel Address Sanitizer) enabled to confirm the presence of a real use-after-free issue.

Affected Systems

The vulnerability was tested on systems running Alma Linux 9 with kernel version 5.14.0-362.24.2.el9_3.x86_64, but it is likely that other versions of the Linux kernel are also affected if they have not been patched.

The vulnerability was fixed in Red Hat Enterprise Linux 9 on kernel version 5.14-427.26.1 as of July 16, 2024.

Proof of Concept (PoC) Code

For those interested in testing the vulnerability, a PoC exploit named CVE-2024-36904-trigger is available.

To test the vulnerability with KASAN enabled, you will need to apply a patch to the kernel and then build it. Here are the steps to apply the patch:

  1. Install necessary packages:
    You will need flex, bison, elfutils-libelf-devel, openssl-devel, bc, perl, and dwarves installed to build the kernel.
  2. Apply the patch:
cd kernels/linux-5.14.0-362.24.1.el9_3/

patch -n1 < ../mdelay_remove_rcu_flag.patch
  1. Build the kernel:
cp ../linux-5.14.0-362.24.1.el9_3-RESEARCH-KASAN/.config .config

make oldconfig

make -j `nproc`

make -j `nproc` modules_install install

Running the Trigger

To run the trigger and observe the KASAN splat when using the modified kernel, execute the following command in a loop:

while true; do ./CVE-2024-36904-trigger; done

This command will continuously execute the trigger, which should cause the KASAN splat to appear in the kernel ring buffer within a short period when using the modified kernel.

CVE-2024-36904 highlights the importance of timely patching and testing of Linux kernel vulnerabilities.

As Linux distributions continue to update their kernels to address such vulnerabilities, ensuring that your system is updated is crucial for maintaining security.

Users and organizations should keep their Linux kernels up-to-date to protect against exploits targeting this and other vulnerabilities.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as…

1 hour ago

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd)…

1 hour ago

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple…

2 hours ago

Hackers Use DLL Side-Loading to Deploy Malicious Python Code

A recent discovery by Xavier Mertens, a senior handler at the Internet Storm Center, has…

2 hours ago

Squid Werewolf Mimics Recruiters to Target Job Seekers and Steal Personal Data

In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf…

2 hours ago

DocSwap Malware Masquerades as Security Document Viewer to Attack Android Users Worldwide

The cybersecurity landscape has witnessed a new threat with the emergence of the DocSwap malware,…

2 hours ago