CVE-2024-50063 Overview
CVE-2024-50063 is a Linux kernel vulnerability in the Berkeley Packet Filter (BPF) subsystem. The flaw allows tail calls between BPF programs attached to different kernel hooks, bypassing verifier assumptions about context access and return value validation. An attacker with the ability to load BPF programs can exploit this inconsistency to access kernel context fields or return values outside the verifier's expected boundaries. The issue affects the BPF Linux Security Module (LSM) and tracing program types where attached functions have different prototypes or return value rules.
Critical Impact
Local attackers with BPF load privileges can bypass kernel BPF verifier checks, potentially leading to privilege escalation, information disclosure, or LSM policy bypass.
Affected Products
- Linux Kernel (mainline, prior to fix commits)
- Linux Kernel stable branches receiving backports 28ead3eaabc1, 5d5e3b4cbe8e, 88c2a10e6c17, d9a807fb7cbf
- Debian LTS distributions per Debian Security Announcement
Discovery Timeline
- 2024-10-21 - CVE-2024-50063 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-50063
Vulnerability Analysis
The Linux kernel BPF subsystem permits programs to be attached to kernel functions and LSM hooks. The verifier validates each program against its attach target, assuming the BPF context layout and permissible return values match the target function's prototype. Tail calls allow one BPF program to invoke another without returning, reusing the caller's context.
The vulnerability stems from the verifier failing to restrict tail calls between programs attached to different hooks. When a program attached to one hook tail calls a program attached to a different hook, the callee receives the caller's context. The verifier validated the callee under different assumptions, so context fields the callee was allowed to access may not exist in the caller's context.
Return value validation is similarly compromised. If a BPF LSM program attached to file_alloc_security tail calls another program attached to bpf_lsm_audit_rule_known, the callee can return a positive value such as 1. The verifier permits this return value for bpf_lsm_audit_rule_known but rejects it for file_alloc_security. The tail call lets the disallowed value propagate as the result of file_alloc_security, bypassing LSM policy decisions.
Root Cause
The BPF verifier performs per-program validation of context access and return values based on the attach target. Tail call dispatch occurs at runtime through BPF_MAP_TYPE_PROG_ARRAY lookups, which were not constrained to programs attached to compatible hooks. The verifier assumption that runtime context matches static analysis breaks when callee and caller have different attach types.
Attack Vector
Exploitation requires local privileges sufficient to load BPF programs, typically CAP_BPF or CAP_SYS_ADMIN. An attacker crafts two BPF programs attached to different kernel hooks and inserts the callee into a program array map used as the tail call target. Invoking the caller triggers a tail call to the callee under mismatched context or return value constraints, enabling out-of-bounds context reads or return value injection into security-sensitive hooks.
The vulnerability has no public proof-of-concept and is not listed in the CISA Known Exploited Vulnerabilities catalog. The patch adds verifier restrictions preventing tail calls between programs attached to incompatible hooks. Refer to the upstream commits for the technical implementation of the fix.
Detection Methods for CVE-2024-50063
Indicators of Compromise
- Unexpected BPF program loads from non-administrative users or unusual processes invoking bpf() syscall with BPF_PROG_LOAD
- Creation of BPF_MAP_TYPE_PROG_ARRAY maps containing programs with mixed attach types
- Anomalous LSM policy decisions where hooks return values outside their documented range
Detection Strategies
- Audit bpf() syscall usage via auditd rules targeting BPF_PROG_LOAD and BPF_MAP_UPDATE_ELEM operations
- Monitor /sys/fs/bpf/ and pinned BPF objects for unexpected program types coexisting in program array maps
- Correlate kernel verifier rejections in dmesg after patch deployment, which indicates attempted cross-hook tail calls
Monitoring Recommendations
- Enable kernel auditing for BPF subsystem operations and ship logs to a centralized analytics platform
- Track processes holding CAP_BPF or CAP_SYS_ADMIN and alert on unexpected privilege use
- Inventory loaded BPF programs using bpftool prog list and baseline against approved workloads
How to Mitigate CVE-2024-50063
Immediate Actions Required
- Apply the kernel patches referenced in the upstream commits 28ead3eaabc1, 5d5e3b4cbe8e, 88c2a10e6c17, and d9a807fb7cbf from git.kernel.org
- Update Debian LTS systems per the Debian LTS Security Announcement
- Restrict CAP_BPF and CAP_SYS_ADMIN to trusted system accounts only
Patch Information
The fix adds verifier logic preventing tail calls between BPF programs attached to incompatible kernel hooks. Apply the patched kernel from your Linux distribution vendor. Reference upstream commits at kernel.org commit 28ead3eaabc1 and commit 5d5e3b4cbe8e.
Workarounds
- Set kernel.unprivileged_bpf_disabled=1 via sysctl to block unprivileged BPF program loading on systems where it is enabled
- Remove CAP_BPF from non-essential service accounts and containers
- Use Linux capability bounding sets and seccomp filters to deny the bpf() syscall in workloads that do not require it
# Disable unprivileged BPF and verify
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee -a /etc/sysctl.d/90-bpf-hardening.conf
sudo sysctl -p /etc/sysctl.d/90-bpf-hardening.conf
# Inventory loaded BPF programs
sudo bpftool prog list
sudo bpftool map list
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
