A newly discovered vulnerability, CVE-2024-53141, in the Linux kernel’s IP sets framework has exposed a critical security flaw that allows local attackers to escalate privileges and potentially gain root access. 

The vulnerability, assigned a CVSS score of 7.8, uncovered by researchers st424204 and d4em0n, specifically affects the bitmap:ip set type within the netfilter subsystem. 

Linux Kernel IP Sets Vulnerability – CVE-2024-53141

The flaw stems from improper handling of IPSET_ATTR_CIDR parameters when TB[IPSET_ATTR_IP_TO] is not present.

“When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing,” explains the Ubuntu security advisory.

Exploitation Path 

The security implications are severe. The exploit chain documented in the researchers’ repository demonstrates how attackers can leverage this flaw to achieve:

• Out-of-bounds write access to the kernel heap, enabling address leakage.
• Arbitrary value writing outside allocated memory bounds.
• Conversion of out-of-bounds conditions into use-after-free vulnerabilities.
• Kernel Address Space Layout Randomization (KASLR) bypass.
• Redirection of kernel execution flow to attacker-controlled code.

The exploit code specifically targets the bitmap_ip implementation in net/netfilter/ipset/ip_set_bitmap_ip.c, where the vulnerability occurs in function calls like ip_to_id, which can be manipulated to return values far outside allocated memory ranges:

The PoC exploit leverages several advanced primitives:

• Heap Address Leak: By exploiting the comment extension in ip_set_init_comment, attackers can leak kernel heap addresses from adjacent memory chunks.
• Arbitrary OOB Write: Utilizing the counter extension in ip_set_init_counter, attackers can write controlled values outside allocated bounds.
• Use-After-Free: By manipulating msg_msgseg structures, OOB writes are converted into UAFs, enabling further exploitation.
• KASLR Bypass: The exploit uses heap spraying and object reallocation to leak kernel text addresses and defeat Kernel Address Space Layout Randomization.
• RIP Control and ROP Chain Execution: Through precise heap manipulation, the attacker gains control of the instruction pointer (RIP), redirecting execution to a crafted ROP chain that overwrites the core_pattern kernel variable, ultimately spawning a root shell.

Affected Versions and Remediation

The vulnerability affects kernel versions from 2.6.39 through versions prior to 4.19.325, 6.6.64, 6.11.11, and 6.12.2. The exploit code in the repository specifically targets Linux kernel 6.6.62.

Security experts recommend immediate patching as the most effective mitigation. The fix, which adds proper range checks to the bitmap_ip_uadt function, has been incorporated into Linux kernels 4.19.325, 6.6.64, 6.11.11, 6.12.2, and later.

“This vulnerability provides threat actors with a powerful exploit chain that can ultimately lead to privilege escalation, KASLR bypass, and full kernel-level code execution,” reads the security advisory.

System administrators are advised to update affected systems immediately, as the public availability of exploit code significantly increases the likelihood of attacks targeting unpatched systems.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy