CVE-2024-0646 Overview
CVE-2024-0646 is an out-of-bounds write vulnerability in the Linux kernel's Kernel Transport Layer Security (kTLS) subsystem. The flaw occurs when a local user invokes the splice() system call with a kTLS socket as the destination. Incorrect handling of the data path leads to memory corruption beyond the intended buffer. A local, authenticated attacker can leverage the condition to crash the kernel or escalate privileges to root. The issue affects mainline Linux kernel 6.7 release candidates and Red Hat Enterprise Linux 8 and 9. The vulnerability is tracked under [CWE-787] (Out-of-bounds Write).
Critical Impact
A local attacker with low privileges can trigger kernel memory corruption through splice() on a kTLS socket, leading to denial of service or local privilege escalation to root.
Affected Products
- Linux kernel 6.7 release candidates (rc1 through rc4)
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Discovery Timeline
- 2024-01-17 - CVE-2024-0646 published to NVD
- 2024-11-25 - Last updated in NVD database
Technical Details for CVE-2024-0646
Vulnerability Analysis
The defect resides in the Linux kernel's kTLS implementation, which offloads TLS record processing into kernel space for performance. When userspace calls splice() to move data from a pipe into a kTLS socket acting as the destination, the kernel writes data outside the bounds of the allocated buffer. The out-of-bounds write corrupts adjacent kernel memory structures. An attacker who controls the source data and call sequencing can shape the corruption to either induce a kernel panic or hijack control flow. Successful exploitation results in full system compromise from an unprivileged local account.
Root Cause
The root cause is incorrect length and boundary tracking in the kTLS send path used by the splice() operation. The kernel did not validate that the spliced data fit within the kTLS record buffer before performing the copy. Upstream maintainers addressed the issue in commit c5a595000e267, which corrects the buffer accounting in the kTLS code.
Attack Vector
Exploitation requires local access and the ability to create sockets and pipes. The attacker creates a TCP socket, upgrades it to kTLS by setting the TLS_TX ULP via setsockopt(), and then calls splice() from a pipe file descriptor into the kTLS socket. Crafted data sizes trigger the out-of-bounds write in kernel memory. No user interaction is required, and the attack can be performed entirely from a shell or local process. See the Red Hat CVE Advisory CVE-2024-0646 and the Linux Kernel Commit c5a595000e267 for technical details.
Detection Methods for CVE-2024-0646
Indicators of Compromise
- Unexpected kernel oops or panic messages in dmesg referencing tls_sw, splice, or tls_sw_sendmsg
- Processes loading the tls kernel module followed by anomalous splice() activity
- Unprivileged processes acquiring root capabilities without an authorized privilege transition
Detection Strategies
- Monitor auditd for setsockopt() calls configuring the TLS upper-layer protocol (TCP_ULP set to tls) followed by splice() system calls from non-service accounts
- Alert on kernel crash signatures and call traces containing kTLS symbols collected via kdump or systemd-coredump
- Correlate sudden privilege changes (UID transitions to 0) with prior socket and pipe activity by the same process
Monitoring Recommendations
- Forward kernel logs and audit records to a centralized analytics platform for behavioral analysis
- Track installed kernel package versions across the fleet and flag hosts running unpatched releases identified in the Red Hat advisories
- Establish baselines for legitimate kTLS usage so anomalous splice() patterns can be triaged quickly
How to Mitigate CVE-2024-0646
Immediate Actions Required
- Apply the kernel updates from the relevant Red Hat Security Advisories, including RHSA-2024:0723, RHSA-2024:0876, and RHSA-2024:1404
- Reboot affected systems after patching to load the corrected kernel
- Audit local user accounts and restrict shell access on multi-tenant or shared hosts
- Review the Debian LTS Announcement June 2024 for Debian-based deployments
Patch Information
The upstream fix is contained in Linux kernel commit c5a595000e267. Red Hat issued multiple errata for Red Hat Enterprise Linux 8 and 9 covering kernel, kernel-rt, and real-time variants. Refer to the Red Hat Bugzilla Report #2253908 and the consolidated list of advisories (RHSA-2024:0723 through RHSA-2024:2094) for build-specific package versions.
Workarounds
- Blacklist the tls kernel module on systems that do not require kTLS by adding blacklist tls to /etc/modprobe.d/ and rebuilding the initramfs
- Restrict local logon and execution privileges using Pluggable Authentication Modules (PAM) and seccomp profiles to limit who can invoke splice() on kTLS sockets
- Enable kernel hardening features such as kernel.unprivileged_userns_clone=0 and kernel.kptr_restrict=2 to raise the bar for local exploitation
# Configuration example: prevent loading the kTLS module on hosts that do not need it
echo 'install tls /bin/false' | sudo tee /etc/modprobe.d/disable-ktls.conf
sudo rmmod tls 2>/dev/null || true
sudo dracut -f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
