CVE-2024-56658 Overview
CVE-2024-56658 is a Use-After-Free vulnerability in the Linux kernel's network namespace (netns) dismantle process. The flaw occurs in the dst_destroy function when handling XFRM (IPsec) destination operations during network namespace cleanup. Specifically, the xfrm6_net_init() and xfrm4_net_init() functions copy template structures into the net structure, but the net structure may be freed before all destination callbacks complete, leading to a slab-use-after-free condition.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to potentially achieve high impacts on confidentiality, integrity, and availability of the system through memory corruption in kernel space.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.13-rc1
- Linux Kernel 6.13-rc2
Discovery Timeline
- December 27, 2024 - CVE-2024-56658 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-56658
Vulnerability Analysis
This Use-After-Free vulnerability resides in the Linux kernel's network namespace destruction path. When a network namespace is dismantled, the kernel copies XFRM destination operations templates (xfrm4_dst_ops_template and xfrm6_dst_ops_template) into the per-network structure via net->xfrm.xfrm4_dst_ops and net->xfrm.xfrm6_dst_ops. The vulnerability manifests when the struct net is freed before all pending destination callbacks have completed execution.
When dst_destroy() is subsequently invoked during RCU callback processing, it attempts to access dst->ops->destroy, which points to memory within the already-freed network structure. This results in a slab-use-after-free condition that was detected by KASAN (Kernel Address Sanitizer) during kernel testing.
The issue is related to a previously addressed problem in commit ac888d58869b ("net: do not delay dst_entries_add() in dst_release()"), indicating a pattern of timing-related memory safety issues in the destination cache management code.
Root Cause
The root cause is a race condition between network namespace destruction and RCU-deferred destination cache cleanup. The struct net structure is freed prematurely without ensuring that all destination operations referencing the per-namespace xfrm[46]_dst_ops structures have completed. The XFRM subsystem's initialization functions copy operation templates to per-namespace storage, creating dangling pointers when the namespace is destroyed while destinations still reference these operations.
Attack Vector
The vulnerability requires local access to the system with low privileges. An attacker would need to:
- Create and manipulate network namespaces
- Trigger XFRM/IPsec destination operations within those namespaces
- Race the namespace destruction against pending RCU callbacks
- Exploit the use-after-free condition to corrupt kernel memory
The vulnerability is exploited through local attack vectors involving network namespace manipulation. The attack does not require user interaction but does require authenticated local access to a system where network namespace operations are permitted.
Detection Methods for CVE-2024-56658
Indicators of Compromise
- KASAN reports showing "slab-use-after-free in dst_destroy" in kernel logs
- Kernel panic or crash events originating from net/core/dst.c with RCU batch processing in the call stack
- Anomalous behavior in IPsec/XFRM subsystem operations during namespace cleanup
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in development and testing environments to detect memory corruption
- Monitor kernel logs for use-after-free warnings in networking subsystem components
- Implement syscall auditing for unshare() and clone() calls with CLONE_NEWNET flag
- Deploy eBPF-based monitoring for network namespace lifecycle events
Monitoring Recommendations
- Configure centralized logging for kernel messages containing "dst_destroy" and "use-after-free" patterns
- Monitor for unusual spikes in network namespace creation and destruction operations
- Enable kernel crash dump collection to capture forensic data if exploitation occurs
- Implement SentinelOne Singularity agent for real-time kernel-level threat detection
How to Mitigate CVE-2024-56658
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for CVE-2024-56658
- Restrict network namespace creation privileges to trusted users and processes using user namespace restrictions
- Consider temporarily disabling unprivileged user namespaces via sysctl kernel.unprivileged_userns_clone=0 if not required
- Apply security-focused kernel hardening configurations
Patch Information
The fix defers the final struct net free operation until after an additional cleanup_net() round and existing rcu_barrier() calls have completed, ensuring all destination callbacks finish before the network structure is released. Patches are available through the kernel.org git repository:
- Kernel Git Commit 0f6ede9fbc74
- Kernel Git Commit 3267b254dc0a
- Kernel Git Commit 6610c7f8a8d4
- Kernel Git Commit b7a79e51297f
Additionally, Debian has released security announcements for affected distributions. See the Debian LTS Security Announcements for distribution-specific guidance.
Workarounds
- Restrict access to network namespace operations by limiting CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities
- Disable unprivileged user namespace creation if operationally feasible
- Implement mandatory access control (SELinux/AppArmor) policies restricting namespace operations
- Monitor and limit processes that can create new network namespaces
# Disable unprivileged user namespaces (if not required)
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
# Or persistently via sysctl
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-security.conf
sysctl -p /etc/sysctl.d/99-security.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
