CVE-2024-44974 Overview
CVE-2024-44974 is a Use-After-Free vulnerability discovered in the Linux kernel's Multipath TCP (MPTCP) path manager implementation. The vulnerability exists in the select_local_address() and select_signal_address() functions, which select an endpoint entry from a list within an RCU (Read-Copy-Update) protected section but return a reference to be read later. If the entry is dereferenced after the RCU unlock, reading the information could trigger a Use-After-Free condition.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to potentially achieve code execution, data corruption, or cause system instability through memory corruption in the kernel's MPTCP subsystem.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.11-rc1 through 6.11-rc4
- Debian-based distributions using vulnerable kernel versions
Discovery Timeline
- September 4, 2024 - CVE-2024-44974 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-44974
Vulnerability Analysis
This Use-After-Free vulnerability occurs in the MPTCP (Multipath TCP) path manager component of the Linux kernel. The core issue lies in how the select_local_address() and select_signal_address() functions handle endpoint entries during the address selection process.
RCU (Read-Copy-Update) is a synchronization mechanism in the Linux kernel designed for read-mostly scenarios. When these functions select an endpoint entry from the list, they do so within an RCU-protected critical section. However, the functions return a reference to the selected entry, which may be accessed after the RCU read lock has been released. This creates a race condition where the referenced memory could be freed by another thread before it is accessed, resulting in a Use-After-Free condition.
The vulnerability affects systems using MPTCP, a protocol extension that enables the use of multiple paths for a single TCP connection. Exploitation could lead to information disclosure, privilege escalation, or denial of service depending on how the freed memory is reallocated and what data is written to it.
Root Cause
The root cause is improper memory management in the MPTCP path manager's endpoint selection logic. The RCU protection only guarantees safe access to the list during traversal within the critical section. Once the RCU read lock is released via rcu_read_unlock(), any pointer to list elements becomes unsafe because the memory could be reclaimed by the kernel.
The fix involves copying the required endpoint information while still inside the RCU-protected section, ensuring that no stale pointers are dereferenced after the lock is released. This approach is particularly suitable because the address ID may need modification to handle the ID0 case, making a copy the appropriate solution.
Attack Vector
The attack requires local access with low privileges. An attacker would need to trigger the MPTCP path manager's address selection functions and time their attack to cause the endpoint entry to be freed while a stale reference still exists. This could be accomplished by:
- Establishing an MPTCP connection to trigger endpoint selection
- Racing endpoint removal operations against the selection functions
- Manipulating the timing to cause a dereference of freed memory
- Potentially controlling the contents of the reallocated memory to achieve code execution
The vulnerability exploitation requires precise timing and understanding of kernel memory allocation patterns, but successful exploitation could result in kernel-level code execution.
Detection Methods for CVE-2024-44974
Indicators of Compromise
- Unexpected kernel crashes or panics with stack traces referencing mptcp_pm_nl_get_local_id, select_local_address, or select_signal_address functions
- KASAN (Kernel Address Sanitizer) reports indicating Use-After-Free in MPTCP-related code paths
- Unusual MPTCP connection behavior or connection failures accompanied by kernel log errors
- Memory corruption symptoms in systems actively using Multipath TCP
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test systems to detect Use-After-Free conditions in kernel memory operations
- Monitor kernel logs (dmesg, /var/log/kern.log) for MPTCP-related error messages or memory violation warnings
- Implement kernel tracing using ftrace or eBPF to monitor MPTCP path manager function calls
- Deploy endpoint detection solutions capable of identifying kernel-level memory corruption attempts
Monitoring Recommendations
- Configure syslog aggregation to centralize kernel error messages from all Linux servers
- Set up alerts for kernel oops or panic events, particularly those involving network subsystem components
- Monitor MPTCP connection statistics and watch for anomalies in multipath connection handling
- Use SentinelOne's Linux agent capabilities to detect suspicious kernel behavior and potential exploitation attempts
How to Mitigate CVE-2024-44974
Immediate Actions Required
- Apply the latest kernel security patches from your distribution vendor immediately
- If patching is not immediately possible, consider disabling MPTCP on affected systems using sysctl net.mptcp.enabled=0
- Review and prioritize patching for systems that actively use Multipath TCP functionality
- Monitor affected systems for signs of exploitation until patches can be applied
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix copies the required endpoint information while inside the RCU-protected section to prevent any Use-After-Free issues. Patches are available through the following commits:
Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Disable MPTCP on systems where it is not required by setting net.mptcp.enabled=0 via sysctl
- Implement network segmentation to limit local access to critical systems running vulnerable kernels
- Use mandatory access control systems (SELinux, AppArmor) to restrict which processes can interact with MPTCP sockets
- Monitor for unusual MPTCP activity while awaiting patch deployment
# Disable MPTCP as a temporary workaround
echo 0 | sudo tee /proc/sys/net/mptcp/enabled
# Make the change persistent across reboots
echo "net.mptcp.enabled = 0" | sudo tee -a /etc/sysctl.d/99-disable-mptcp.conf
sudo sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
