CVE-2024-44974 Overview
CVE-2024-44974 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Multipath TCP (MPTCP) path manager. The flaw resides in the select_local_address() and select_signal_address() functions, which select endpoint entries from a list inside a Read-Copy-Update (RCU) protected section but return references for later use. Dereferencing these entries after the RCU unlock can trigger a use-after-free condition. The vulnerability affects multiple Linux kernel versions and Debian Linux 11. A local authenticated attacker can exploit this flaw to compromise kernel memory integrity, confidentiality, and availability.
Critical Impact
Local attackers with low privileges can trigger a use-after-free in the MPTCP path manager, potentially leading to kernel memory corruption, privilege escalation, or denial of service.
Affected Products
- Linux Kernel (multiple versions through 6.11-rc4)
- Debian Linux 11.0
- Linux Kernel 6.11 release candidates (rc1, rc2, rc3, rc4)
Discovery Timeline
- 2024-09-04 - CVE-2024-44974 published to NVD
- 2024-10 - Debian LTS advisory released (Debian LTS Announcement)
- 2025-01 - Additional Debian LTS advisory released (Debian LTS Announcement)
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2024-44974
Vulnerability Analysis
The vulnerability exists in the MPTCP path manager subsystem of the Linux kernel. MPTCP (Multipath TCP) allows a single TCP connection to use multiple network paths simultaneously. The path manager maintains a list of endpoint addresses that can be used for additional subflows.
The functions select_local_address() and select_signal_address() iterate over the endpoint list within an RCU read-side critical section. RCU is a synchronization mechanism that allows lock-free reads while ensuring safe memory reclamation. However, both functions return a pointer to a selected entry after exiting the RCU-protected section.
Once the RCU read lock is released, the selected entry can be freed by a concurrent writer. Subsequent dereferences of the returned pointer to read endpoint information result in a use-after-free condition. This violates RCU's contract, which requires that referenced objects only be accessed within the RCU critical section.
Root Cause
The root cause is improper lifetime management of RCU-protected objects [CWE-416]. The endpoint entries are protected by RCU semantics inside the selection functions, but the returned pointer is consumed outside the protected region. No reference counting or copying occurs to extend the object's lifetime, leaving the caller exposed to a freed memory access if the entry is removed concurrently.
Attack Vector
Exploitation requires local access with low privileges. An attacker must trigger MPTCP endpoint operations while concurrently removing endpoints to win the race between the selection functions and the endpoint deletion path. Successful exploitation can corrupt kernel memory, leading to denial of service or potential privilege escalation through controlled freed-object reuse.
The upstream fix copies the required endpoint information while still inside the RCU-protected section, eliminating the post-unlock dereference. The address ID is also copied to support later modification for the ID0 case. See the kernel commit references such as Linux kernel commit f2c865e9e3ca for the patch details.
Detection Methods for CVE-2024-44974
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing select_local_address or select_signal_address in dmesg output
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in the net/mptcp/pm_netlink.c code path
- Abnormal MPTCP subflow creation patterns followed by kernel instability
- Unexplained system crashes on hosts with MPTCP enabled and active endpoint reconfiguration
Detection Strategies
- Audit installed kernel versions against fixed versions listed in the Linux stable tree commit references
- Enable KASAN on test systems to identify the use-after-free condition during fuzzing or regression testing
- Monitor /proc/version and package manager logs to confirm patched kernel deployment across the fleet
- Review MPTCP usage via ip mptcp endpoint show to identify hosts where the feature is active
Monitoring Recommendations
- Collect and centralize kernel ring buffer messages (dmesg) for analysis of crashes referencing MPTCP symbols
- Track endpoint manipulation events through netlink auditing where supported
- Alert on unexpected reboots or kernel panics on systems running MPTCP workloads
How to Mitigate CVE-2024-44974
Immediate Actions Required
- Apply the patched kernel from your Linux distribution vendor as soon as available
- For Debian 11 systems, update to the kernel version specified in the Debian LTS Announcement
- Inventory all systems running affected kernel versions, prioritizing those with MPTCP enabled
- Restrict local user access on systems that cannot be patched immediately
Patch Information
The vulnerability is fixed in the Linux stable tree across multiple branches. Refer to the upstream commits: 0201d65d9806, 2b4f46f95036, 48e50dcbcbaa, 9a9afbbc3fbf, ddee5b4b6a1c, and f2c865e9e3ca. The fix copies endpoint information inside the RCU-protected section rather than returning a reference.
Workarounds
- Disable MPTCP if it is not required for production workloads by setting net.mptcp.enabled=0 via sysctl
- Limit local user accounts and enforce strict privilege boundaries to reduce the attack surface
- Remove or restrict MPTCP endpoint configuration capabilities for unprivileged users
# Disable MPTCP system-wide if not required
sudo sysctl -w net.mptcp.enabled=0
echo "net.mptcp.enabled=0" | sudo tee -a /etc/sysctl.conf
# Verify current kernel version against patched releases
uname -r
# Debian: apply security updates
sudo apt update && sudo apt upgrade linux-image-$(uname -r | sed 's/.*-//')
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
