Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-42154

CVE-2024-42154: Linux Kernel Privilege Escalation Flaw

CVE-2024-42154 is a privilege escalation vulnerability in the Linux Kernel's tcp_metrics module caused by improper validation of source address length. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2024-42154 Overview

CVE-2024-42154 is a Linux kernel vulnerability in the tcp_metrics netlink interface. The kernel fails to validate that the TCP_METRICS_ATTR_SADDR_IPV4 netlink attribute is at least 4 bytes long. The netlink policy lacks an entry for this attribute, and unlike the IPv6 path, no manual validation occurs. A local user with the ability to send netlink messages can trigger an out-of-bounds read in kernel memory. The flaw is classified as [CWE-754] (Improper Check for Unusual or Exceptional Conditions). It affects Linux kernel versions up to 6.10-rc6 prior to the corresponding stable patches.

Critical Impact

A local, low-privileged user can supply a malformed netlink attribute to read out-of-bounds kernel memory or destabilize the TCP metrics subsystem.

Affected Products

  • Linux Kernel (multiple stable branches prior to fixes referenced in 19d997b, 2a2e79d, 31f03bb, 3d550dd, 66be40e, 8c2debdd, cdffc35, ef7c428)
  • Linux Kernel 6.10 release candidates rc1 through rc6
  • Downstream distributions including Debian (LTS advisory January 2025) and NetApp products (advisory NTAP-20240828-0010)

Discovery Timeline

  • 2024-07-30 - CVE-2024-42154 published to NVD
  • 2024-09-24 - Public discussion on the Openwall oss-security mailing list
  • 2025-01 - Debian LTS issues an updated kernel advisory
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-42154

Vulnerability Analysis

The Linux kernel exposes TCP metrics through a generic netlink family. Userspace clients send attributes such as TCP_METRICS_ATTR_SADDR_IPV4 to identify metrics by source address. The kernel parses these attributes using a netlink policy that defines expected types and lengths. The policy for the TCP metrics family does not declare a length constraint for the IPv4 source address attribute. The IPv6 equivalent is validated manually in code, but the IPv4 path is not.

When the handler reads the attribute as a 32-bit IPv4 address, it assumes 4 bytes are present. A shorter attribute payload causes the kernel to read beyond the supplied buffer. This results in an out-of-bounds read inside the netlink message buffer in kernel space.

Root Cause

The root cause is a missing length check in the netlink attribute policy for TCP_METRICS_ATTR_SADDR_IPV4. The handler trusts the attribute length without verification. This is an [CWE-754] improper-check condition where exceptional input is not handled before being used in pointer arithmetic and value extraction.

Attack Vector

Exploitation requires local access and the ability to open a generic netlink socket to the TCP metrics family, which typically requires CAP_NET_ADMIN. An attacker constructs a malformed netlink message containing a TCP_METRICS_ATTR_SADDR_IPV4 attribute shorter than 4 bytes and sends it to the kernel. The kernel proceeds to dereference the truncated attribute, leaking adjacent memory contents into subsequent comparisons or causing aberrant behavior in the metrics lookup logic. The patches add an explicit length entry to the netlink policy, so undersized attributes are rejected before reaching the handler.

// No verified public exploit code is available for CVE-2024-42154.
// Refer to the upstream patches for the corrected netlink policy:
//   https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321

Detection Methods for CVE-2024-42154

Indicators of Compromise

  • Unexpected processes opening AF_NETLINK sockets bound to the tcp_metrics generic netlink family
  • Kernel log warnings or KASAN reports referencing tcp_metrics_nl_cmd_get or tcp_metrics_fill_info on unpatched kernels
  • Local accounts holding CAP_NET_ADMIN performing TCP metrics queries outside of normal administrative workflows

Detection Strategies

  • Audit running kernel version against the fixed commits (19d997b, ef7c428, cdffc35, 66be40e, 8c2debdd, 31f03bb, 2a2e79d, 3d550dd) to flag exposed hosts
  • Use auditd rules to record socket() calls with AF_NETLINK and subsequent sendmsg activity referencing GENL_ID_CTRL lookups for tcp_metrics
  • Correlate netlink activity from non-administrative service accounts with kernel oops or KASAN events in the same window

Monitoring Recommendations

  • Forward kernel ring buffer (dmesg) and journald kernel logs into a central analytics platform for retroactive search
  • Monitor capability grants (CAP_NET_ADMIN) on production hosts and alert on changes
  • Track package versions for the kernel across the fleet and alert when hosts drift below the patched baseline

How to Mitigate CVE-2024-42154

Immediate Actions Required

  • Apply vendor kernel updates that include the upstream fix, such as the Debian LTS January 2025 advisory and NetApp advisory NTAP-20240828-0010
  • Reboot systems after kernel package upgrades to load the patched image
  • Restrict CAP_NET_ADMIN to required administrative accounts and remove it from general-purpose service users

Patch Information

The upstream fix adds a netlink policy entry enforcing the correct length for TCP_METRICS_ATTR_SADDR_IPV4. Stable backports are available at the following commits: Kernel Git Patch 19d997b, Kernel Git Patch 2a2e79d, Kernel Git Patch 31f03bb, Kernel Git Patch 3d550dd, Kernel Git Patch 66be40e, Kernel Git Patch 8c2deb, Kernel Git Patch cdffc35, and Kernel Git Patch ef7c428. See also the Debian LTS Announcement 2025-01 and NetApp Security Advisory NTAP-20240828-0010.

Workarounds

  • Block unprivileged access to the TCP metrics generic netlink family by limiting CAP_NET_ADMIN assignments
  • Use namespacing and seccomp policies in container workloads to disallow AF_NETLINKGENERIC sockets where not required
  • Where patching is delayed, drop the tcp_metrics interface from operational tooling and rely on alternative diagnostic paths
bash
# Verify kernel version and confirm the fix is present
uname -r

# Example: drop CAP_NET_ADMIN from a service unit (systemd)
# /etc/systemd/system/<service>.d/override.conf
# [Service]
# CapabilityBoundingSet=~CAP_NET_ADMIN
# AmbientCapabilities=
systemctl daemon-reload && systemctl restart <service>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne