CVE-2024-49861 Overview
A vulnerability has been identified in the Linux kernel's BPF (Berkeley Packet Filter) subsystem that allows BPF programs to write to read-only maps through specific helper functions. Despite user- and BPF-side frozen BPF maps (such as .rodata), it was possible to write into these read-only maps from a BPF program through helpers using ARG_PTR_TO_{LONG,INT} as arguments. This bypasses the intended memory protection mechanisms and could lead to integrity violations and system instability.
Critical Impact
Local attackers with the ability to load BPF programs can bypass read-only memory protections to modify frozen BPF maps, potentially leading to unauthorized data modification and system denial of service.
Affected Products
- Linux Kernel (multiple versions)
- Debian Linux (LTS releases)
- Systems running BPF-enabled Linux kernels
Discovery Timeline
- 2024-10-21 - CVE-2024-49861 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-49861
Vulnerability Analysis
This vulnerability exists in the BPF verifier's argument type checking mechanism. When BPF helper functions are called with arguments typed as ARG_PTR_TO_LONG or ARG_PTR_TO_INT, the verifier fails to properly enforce read-only access restrictions on frozen BPF maps.
The flaw occurs in the check_func_arg() function where the meta->raw_mode is never set for these argument types. Subsequently, when check_helper_mem_access() processes a PTR_TO_MAP_VALUE register base type, it incorrectly assumes BPF_READ access mode for the call to check_map_access_type(). Since the BPF map is marked read-only, this check succeeds, but the actual operation may write to the memory location.
The helpers that accept these argument types can write results directly into the memory via *<ptr> = val operations, which violates the read-only constraint of frozen maps like .rodata sections.
Root Cause
The root cause is an improper annotation of BPF helper function arguments. Helpers that write results to memory were using ARG_PTR_TO_{LONG,INT} without the MEM_UNINIT flag, which would indicate that the memory is being written to rather than read from. The ARG_PTR_TO_{LONG,INT} types are special cases of ARG_PTR_TO_FIXED_SIZE_MEM with additional alignment requirements, but lacked proper write access verification.
The verifier's assumption that these pointer arguments are for reading rather than writing creates a security gap where write operations can bypass map protection flags.
Attack Vector
Exploitation requires local access and the ability to load BPF programs (typically requiring CAP_BPF or CAP_SYS_ADMIN capabilities). An attacker can craft a BPF program that:
- Obtains a pointer to a frozen (read-only) BPF map value
- Passes this pointer to a BPF helper function that uses ARG_PTR_TO_LONG or ARG_PTR_TO_INT arguments
- The helper writes to the supposedly read-only memory location, bypassing the frozen map protection
The attack requires the attacker to have privileges to load BPF programs, making this a local privilege abuse scenario rather than a remote attack.
Detection Methods for CVE-2024-49861
Indicators of Compromise
- Unexpected modifications to .rodata or other frozen BPF map sections
- BPF program behavior inconsistent with expected read-only data constraints
- Kernel log messages related to BPF verifier bypasses or memory access violations
- Anomalous BPF helper function usage patterns in system monitoring
Detection Strategies
- Monitor BPF program loading events using bpf_prog_load tracepoints for suspicious patterns
- Implement audit logging for BPF-related system calls, particularly those involving map operations
- Use kernel integrity monitoring tools to detect unauthorized modifications to kernel data structures
- Deploy endpoint detection solutions that can identify BPF-based exploitation techniques
Monitoring Recommendations
- Enable BPF-related kernel audit events to track program loading and map operations
- Implement runtime integrity checking for critical BPF maps in security-sensitive deployments
- Monitor for privilege escalation attempts that may leverage this vulnerability as part of an attack chain
- Review system logs for unexpected BPF verifier warnings or errors
How to Mitigate CVE-2024-49861
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the BPF verifier fix
- Restrict BPF program loading capabilities to only trusted users and processes
- Review and audit existing BPF programs for potential exploitation of this vulnerability
- Consider disabling unprivileged BPF if not required for operations
Patch Information
The Linux kernel maintainers have released patches that address this vulnerability by properly annotating helper arguments with MEM_UNINIT | MEM_ALIGNED flags and refactoring ARG_PTR_TO_{LONG,INT} to use fixed size memory types with proper access verification.
Patches are available through the following kernel commits:
Debian users should refer to the Debian LTS Security Announcement for distribution-specific updates.
Workarounds
- Disable unprivileged BPF program loading by setting kernel.unprivileged_bpf_disabled=1 via sysctl
- Restrict CAP_BPF and CAP_SYS_ADMIN capabilities to only essential services and users
- Implement mandatory access control policies (SELinux/AppArmor) to limit BPF usage
- Monitor and audit BPF-related activities until patches can be applied
# Disable unprivileged BPF program loading
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
sysctl -p
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
