CVE-2024-45063 Overview
CVE-2024-45063 is a kernel use-after-free vulnerability [CWE-416] in the FreeBSD CAM Target Layer (CTL) subsystem. The ctl_write_buffer function incorrectly sets a flag, causing memory to be freed while still referenced after a command finishes processing. Attackers can exploit this flaw through two distinct paths. Malicious software in a guest VM exposing virtio_scsi can achieve code execution in the host bhyve userspace process, which typically runs as root within a Capsicum sandbox. A malicious Internet Small Computer Systems Interface (iSCSI) initiator can also achieve remote code execution on the iSCSI target host.
Critical Impact
Guest-to-host escape via virtio_scsi and remote code execution on iSCSI targets, both leading to high-privilege compromise of the host system.
Affected Products
- FreeBSD 13.3 and patch levels p1 through p5
- FreeBSD 14.0 (including betas, release candidates, and p1 through p9)
- FreeBSD 14.1 and patch levels p1 through p3
Discovery Timeline
- 2024-09-05 - CVE-2024-45063 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-45063
Vulnerability Analysis
The defect resides in the FreeBSD CAM Target Layer, the kernel subsystem that implements SCSI target functionality used by both bhyve virtual machines and the ctld iSCSI target daemon. The ctl_write_buffer function incorrectly manages a state flag tied to command completion. When a SCSI command finishes processing, the kernel releases buffer memory that remains reachable through dangling references, producing a classic use-after-free condition.
An attacker who controls SCSI command issuance can shape allocator state to place attacker-controlled data into the freed region. Subsequent dereferences of the stale pointer permit corruption of kernel or host process memory and ultimately code execution.
Root Cause
The root cause is incorrect flag handling inside ctl_write_buffer that desynchronizes the lifetime of a command buffer from the references the CTL state machine retains. The buffer is freed while consumers still operate on it, satisfying the conditions for [CWE-416] Use After Free.
Attack Vector
Two realistic exploitation paths exist. First, malicious code inside a guest VM connected to a virtio_scsi device issues crafted SCSI commands to trigger the free, then races to reclaim the slab and achieve code execution in the host bhyve process. Because bhyve runs inside a Capsicum sandbox, post-exploitation is limited to capabilities granted to that process, but bhyve typically runs as root. Second, a remote iSCSI initiator that can connect to a vulnerable ctld target sends crafted SCSI WRITE BUFFER commands to trigger the same condition against the target host kernel or daemon. See the FreeBSD Security Advisory SA-24:11 for technical details.
Detection Methods for CVE-2024-45063
Indicators of Compromise
- Unexpected crashes or panics in the FreeBSD kernel referencing the CTL subsystem or ctl_write_buffer.
- Anomalous bhyve process termination, restart loops, or core dumps on hosts running guest VMs with virtio_scsi.
- Unauthenticated or unusual iSCSI initiator sessions issuing repeated WRITE BUFFER SCSI commands to ctld.
Detection Strategies
- Monitor kernel logs (/var/log/messages, dmesg) for CTL-related warnings, page faults, or use-after-free signatures.
- Inspect bhyve process telemetry for abnormal child behavior, memory growth, or unexpected syscall patterns inside the Capsicum sandbox.
- Audit iSCSI target logs for initiators issuing high volumes of SCSI WRITE BUFFER opcodes or malformed CDBs.
Monitoring Recommendations
- Centralize FreeBSD kernel and ctld logs and alert on repeated CTL errors or panic strings.
- Track bhyve process integrity on hypervisor hosts and correlate restarts with guest VM activity.
- Apply network controls to restrict iSCSI target exposure to trusted initiator IP ranges only.
How to Mitigate CVE-2024-45063
Immediate Actions Required
- Apply the patches from FreeBSD Security Advisory SA-24:11 to all affected 13.3, 14.0, and 14.1 systems.
- Identify all hosts running bhyve with virtio_scsi exposed to untrusted guests and prioritize them for patching.
- Inventory iSCSI targets reachable from untrusted networks and patch them before any other remediation.
- Restart bhyve virtual machines and the ctld daemon after applying the kernel update.
Patch Information
FreeBSD has released kernel patches in advisory SA-24:11.ctl. Upgrade to a patched release or apply the binary patch using freebsd-update fetch && freebsd-update install followed by a reboot. NetApp products that embed FreeBSD components are tracked in the NetApp Security Advisory NTAP-20240920-0010.
Workarounds
- Avoid exposing virtio_scsi to untrusted guest VMs; switch to alternative storage backends where feasible.
- Restrict iSCSI target reachability with firewall rules and require CHAP authentication on ctld.
- Disable the ctld service on hosts that do not require iSCSI target functionality.
# Apply FreeBSD binary update for SA-24:11
freebsd-update fetch
freebsd-update install
shutdown -r now
# Verify ctld is disabled where not required
service ctld onestatus
sysrc ctld_enable="NO"
service ctld stop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

