CVE-2024-42154 Overview
CVE-2024-42154 is an input validation vulnerability in the Linux kernel's TCP metrics subsystem. The vulnerability exists because the kernel does not properly validate the length of the TCP_METRICS_ATTR_SADDR_IPV4 attribute, which should be at least 4 bytes long. The netlink policy lacks an entry for this attribute entirely, creating a potential security gap. While IPv6 source addresses receive manual validation, the IPv4 counterpart was overlooked, allowing a local attacker to potentially supply malformed data.
Critical Impact
Local attackers with low privileges can exploit missing input validation in the TCP metrics netlink interface to potentially leak or corrupt memory contents.
Affected Products
- Linux Kernel versions prior to patched releases across multiple stable branches
- Linux Kernel 6.10 release candidates (6.10-rc1 through 6.10-rc6)
- Systems running vulnerable kernel versions including Debian and NetApp products
Discovery Timeline
- July 30, 2024 - CVE-2024-42154 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-42154
Vulnerability Analysis
This vulnerability is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions). The flaw resides in the TCP metrics netlink handling code within the Linux kernel. When processing netlink messages related to TCP metrics, the kernel accepts TCP_METRICS_ATTR_SADDR_IPV4 attributes without verifying they contain the expected minimum of 4 bytes for a valid IPv4 address.
The netlink policy configuration, which should enforce attribute constraints, lacks any entry for the IPv4 source address attribute. This oversight means the kernel may process truncated or malformed IPv4 address data, potentially leading to out-of-bounds memory access. Interestingly, the IPv6 source address attribute receives proper manual validation, suggesting this was an oversight rather than an intentional design decision.
Root Cause
The root cause is missing input validation in the netlink attribute policy definition. The tcp_metrics netlink interface defines various attributes for managing TCP connection metrics, but the policy table does not include validation rules for TCP_METRICS_ATTR_SADDR_IPV4. Without explicit length requirements in the policy, the kernel accepts attributes of any length, including those smaller than the 4 bytes required for an IPv4 address.
Attack Vector
Exploitation requires local access to the system with the ability to send netlink messages to the TCP metrics interface. An attacker could craft malicious netlink messages containing undersized TCP_METRICS_ATTR_SADDR_IPV4 attributes. When the kernel processes these messages and attempts to read the expected 4 bytes, it may read beyond the provided buffer boundaries, potentially disclosing kernel memory contents or causing memory corruption.
The attack requires low privileges and no user interaction. The local attack vector limits the exposure compared to remotely exploitable vulnerabilities, but systems with untrusted local users or containerized environments with shared kernel namespaces may be at heightened risk.
Detection Methods for CVE-2024-42154
Indicators of Compromise
- Unexpected kernel log messages related to TCP metrics or netlink processing errors
- Anomalous netlink traffic patterns targeting the TCP metrics subsystem
- System instability or crashes potentially linked to memory corruption in kernel space
Detection Strategies
- Monitor for processes sending netlink messages to the TCP metrics interface, particularly from non-privileged or unusual sources
- Implement kernel auditing to track netlink socket creation and message sending activities
- Deploy endpoint detection solutions capable of monitoring kernel-level network subsystem interactions
Monitoring Recommendations
- Enable kernel auditing (auditd) with rules targeting netlink socket operations
- Review system logs for kernel warnings or errors in the tcp_metrics module
- Consider using SentinelOne's kernel-level visibility to detect anomalous behavior patterns associated with netlink exploitation attempts
How to Mitigate CVE-2024-42154
Immediate Actions Required
- Update the Linux kernel to a patched version as soon as possible
- Review systems for signs of exploitation, particularly on multi-user systems or container hosts
- Consider restricting access to netlink interfaces for unprivileged users where operationally feasible
- Monitor vendor security advisories from Debian, NetApp, and other affected distributions
Patch Information
Multiple patches have been released across Linux kernel stable branches. The fix adds proper validation to ensure TCP_METRICS_ATTR_SADDR_IPV4 attributes are at least 4 bytes long before processing. Key patch commits include:
- Patch commit 66be40e622e1
- Patch commit cdffc358717e
- Patch commit 31f03bb04146
Affected distributions have released updates: see the Debian LTS Announcement and NetApp Security Advisory for distribution-specific guidance.
Workarounds
- Restrict netlink socket access using kernel configuration options or security modules (SELinux/AppArmor) if patching is not immediately possible
- Limit local user access on affected systems until patches can be applied
- Consider network namespace isolation for untrusted workloads to reduce the attack surface
# Example: Verify current kernel version and check for patches
uname -r
# Review kernel changelog for tcp_metrics fixes
zgrep -i "tcp_metrics" /usr/share/doc/linux-image-$(uname -r)/changelog.Debian.gz 2>/dev/null || echo "Check vendor documentation for patch status"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
