CVE-2024-26883

Vulnerability

Overview

CVE-2024-26883 describes a security flaw in the Linux kernel's BPF stackmap implementation, specifically in the bucket-size computation for hash maps. The code uses roundup_pow_of_two() to calculate the number of hash buckets, and it attempts to catch overflow by checking if the result is zero. However, on 32-bit architectures, the rounding operation itself can involve a 32-bit left-shift of an unsigned long value, which is undefined behavior (UB) in C. This means the overflow check is unreliable and the function may not truncate to zero as assumed, potentially leading to an incorrect bucket count.

Attack

Vector & Exploitation

An attacker who can load or trigger BPF programs (which typically requires local access and certain capabilities) could cause the kernel to compute a malformed bucket count. The overflow check is not guaranteed to catch the error on 32-bit platforms, allowing an attacker to trigger memory corruption or a denial-of-service condition. The bug was initially discovered via syzbot and also affects the DEVMAP_HASH type, which shares the same flawed overflow check copied from the hashtab code [1].

Impact

If successfully exploited, this vulnerability could lead to kernel memory corruption, system crash (denial of service), or other undefined behavior. The CVSS v3 score of 7.8 indicates a high severity, reflecting the potential for serious impact that requires local access and low complexity to trigger.

Mitigation

The fix, already merged into the Linux kernel stable branches, replaces the post-rounding zero check with a pre-rounding overflow check that avoids undefined behavior [2][3][4]. Users should apply kernel updates to patched versions. Systems running on 32-bit architectures are particularly vulnerable.