CVE-2024-46858 Overview
CVE-2024-46858 is a use-after-free (UAF) vulnerability in the Linux kernel's Multipath TCP (MPTCP) path manager subsystem. The vulnerability exists in the mptcp_pm_del_add_timer function, where a race condition between two concurrent execution paths can lead to accessing memory that has already been freed. This occurs when one CPU frees an entry structure while another CPU is still attempting to access it during timer deletion synchronization.
Critical Impact
Local attackers with low privileges can potentially achieve code execution, information disclosure, or system crashes by exploiting this race condition in the MPTCP path manager, compromising system confidentiality, integrity, and availability.
Affected Products
- Linux Kernel versions 5.10.x before 5.10.227
- Linux Kernel versions 5.15.x before 5.15.168
- Linux Kernel versions 6.1.x before 6.1.111
- Linux Kernel 6.11 release candidates (rc1 through rc7)
Discovery Timeline
- September 27, 2024 - CVE-2024-46858 published to NVD
- December 24, 2025 - Last updated in NVD database
Technical Details for CVE-2024-46858
Vulnerability Analysis
The vulnerability is classified as CWE-416 (Use After Free), which occurs when a program continues to use memory after it has been freed. In this case, the MPTCP path manager's mptcp_pm_del_add_timer function can be accessed through two separate execution paths simultaneously, creating a dangerous race condition.
The first path originates from network receive operations (net_rx_action → napi_poll → tcp_v4_rcv → mptcp_incoming_options → mptcp_pm_del_add_timer), while the second path comes from netlink message processing (netlink_sendmsg → genl_rcv_msg → mptcp_pm_nl_flush_addrs_doit → remove_anno_list_by_saddr → mptcp_pm_del_add_timer).
The core issue is that in the remove_anno_list_by_saddr function running on CPU2, after leaving the critical zone protected by pm.lock, the entry is released via kfree(entry). However, CPU1 may still be executing mptcp_pm_del_add_timer and attempting to access members of the already-freed entry structure.
Root Cause
The root cause is improper synchronization in accessing shared data structures within the MPTCP path manager. The pm.lock spinlock provides protection within a critical section, but the code was accessing the entry's add_timer member after releasing the lock, creating a window where another thread could free the entry. This represents a classic time-of-check time-of-use (TOCTOU) pattern combined with inadequate reference management for the timer object.
Attack Vector
This vulnerability requires local access to the system with low privileges. An attacker would need the ability to trigger network activity and netlink message processing simultaneously to exploit the race condition. While the attack complexity is high due to the timing requirements of the race condition, successful exploitation could lead to:
- Arbitrary code execution by manipulating the freed memory contents
- Information disclosure by reading data from reallocated memory
- Denial of service through kernel crashes caused by accessing invalid memory
The attack surface is the MPTCP subsystem, which is typically enabled on systems configured for multipath TCP networking. The vulnerability does not require user interaction and operates entirely within kernel space.
Detection Methods for CVE-2024-46858
Indicators of Compromise
- Unexpected kernel panics or oops messages referencing mptcp_pm_del_add_timer or __timer_delete_sync functions
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free conditions in MPTCP-related code paths
- Unusual MPTCP connection behavior or unexpected netlink activity patterns
Detection Strategies
- Enable kernel memory debugging features such as KASAN to detect use-after-free conditions at runtime
- Monitor kernel logs for stack traces involving MPTCP path manager functions, particularly mptcp_pm_del_add_timer
- Deploy SentinelOne Singularity Platform to monitor for anomalous kernel behavior and memory access patterns
Monitoring Recommendations
- Implement continuous kernel log monitoring for MPTCP-related error messages and warnings
- Use eBPF-based tracing to monitor MPTCP subsystem function calls and detect anomalous patterns
- Enable audit logging for netlink socket operations to track potential exploitation attempts
How to Mitigate CVE-2024-46858
Immediate Actions Required
- Update to patched kernel versions immediately: 5.10.227+, 5.15.168+, 6.1.111+, or 6.6.52+
- If immediate patching is not possible, consider disabling MPTCP functionality until updates can be applied
- Review systems for any signs of exploitation before and after applying patches
Patch Information
The vulnerability has been addressed in multiple stable kernel branches. The fix involves keeping a reference to add_timer inside the lock and calling sk_stop_timer_sync() with this reference instead of accessing entry->add_timer directly. Additionally, list_del(&entry->list) has been moved inside the pm lock to prevent direct access to any members of the entry outside the lock.
Patches are available through the following kernel commits:
Debian users should refer to the Debian LTS announcements for distribution-specific updates.
Workarounds
- Disable MPTCP if not required by setting the kernel parameter net.mptcp.enabled=0
- Use kernel module loading restrictions to prevent MPTCP modules from loading if the feature is not needed
- Implement network segmentation to limit local access to systems running vulnerable kernel versions
# Disable MPTCP temporarily via sysctl
sysctl -w net.mptcp.enabled=0
# Make the change persistent across reboots
echo "net.mptcp.enabled=0" >> /etc/sysctl.d/99-disable-mptcp.conf
sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
