CVE-2024-26625 - Stale Pointer Use in Linux Kernel LLC Socket Release (Fixed)

A recently disclosed and fixed vulnerability, CVE-2024-26625, exposed the Linux kernel to a subtle but dangerous memory safety bug involving LLC sockets. This long read explains the roots of the vulnerability, its practical security impact, code-level details, and exploitability, in straightforward language for readers interested in Linux kernel security.

What Happened: The LLC Socket Release Bug

The kernel can run into serious trouble if internal pointers linger after they should be detached or reset. This is exactly what was found in the Linux kernel’s *Logical Link Control* (LLC) socket implementation. Specifically, the kernel failed to orphan (disconnect and clean up) resources properly when an LLC socket was released—leading to pointers referencing freed memory. This race could allow a so-called *use-after-free* bug, where the system operates on memory that has been given back to the system and may now contain unintended data or be recycled for other purposes.

Syzbot’s Report

This bug was reported by syzbot, an automated kernel testing tool. It caught a “slab-use-after-free” in the kernel log, an unmistakable sign of memory being touched after it’s already been freed. Here’s a chunk from the report:

BUG: KASAN: slab-use-after-free in sock_wfree+x9a8/x9d net/core/sock.c:2468
Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27
...
sock_def_write_space_wfree net/core/sock.c:3384 [inline]
...
Allocated by task 5167: ... sock_alloc_inode+x25/x1c net/socket.c:308
Freed by task : ... poison_slab_object mm/kasan/common.c:241

Translation? The kernel's socket handling code touched memory that was already handed back to the allocator—a textbook use-after-free vulnerability.

This comes down to missing cleanup during the socket release path

- sock_orphan() is a function responsible for cutting ties between a socket and its "wait queue" and internal resources.
- When an LLC socket is closed (released), it did not call sock_orphan(), but proceeded to free resources.
- This left internal pointers—like sk_wq (wait queue pointer) inside the socket—in an invalid state. Other parts of the kernel could later use these pointers, resulting in undefined behaviour, memory safety bugs, or crashes.

The issue had been noted before by kernel developer Eric Biggers, who indicated that not all protocols called sock_orphan() properly. This bug forced the issue, resulting in both targeted and wider audits of socket protocols.

A patch was submitted (and merged) to fix this for LLC

--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ void llc_release(struct socket *sock)
-   /* Existing code did not call sock_orphan() */
+   sock_orphan(sock->sk);
    ...
    /* Continue with freeing, only after orphaned */

The crux: Always call sock_orphan() before releasing or dereferencing the socket.

The Lesson

This is a classic example of a “resource lifetime” bug—a very common, yet very subtle category of memory corruption bugs in large C codebases like the kernel.

Exploitability

Is this bug exploitable? In principle, use-after-free bugs can be levers for serious exploits, especially local privilege escalation, information disclosure, or even remote code execution in networked contexts, depending on how controllable the conditions are.

With CVE-2024-26625

- Attack vector: A local user (or process) could repeatedly trigger socket creation/destruction and race resource cleanup.
- Impact: The risk is mostly privilege escalation, as executing code in freed memory could allow arbitrary code execution in the kernel context.
- Real-world ease: Because LLC sockets are not commonly used by regular user-space programs, practical exploitation is low, but not impossible, especially if combined with other bugs.

Here’s a simplified PoC that “tickles” the bug (*no exploit!* just crash trigger)

#include <stdio.h>
#include <sys/socket.h>
#include <linux/if_llc.h>
int main() {
    int sock = socket(AF_LLC, SOCK_STREAM, LLC_PROTO_ID_RM);
    if (sock < ) { perror("socket"); return 1; }
    close(sock); // triggers the faulty release path in buggy kernels
    return ;
}

Compile with

gcc -o llc_bug llc_bug.c
sudo ./llc_bug

On a vulnerable kernel, running this repeatedly might trigger KASAN or kernel panic.

References:

- Original discussion/patch:
net: llc: call sock_orphan() at release time (kernel.org)

Syzbot report thread:

lkml.org bug report
- Eric Biggers’ commit message

Mitigation and Conclusion

All users and distributors should update to a kernel with this patch applied.
If you maintain custom kernel code or unusual protocols, consider auditing all protocol release functions for consistent use of sock_orphan().

This bug is a reminder that even long-established kernel code can hide sharp edges. Thanks to tooling like syzbot and attentive kernel devs, such issues no longer lurk for long.


*Stay updated on kernel security: patch early, patch often!*


References
- Linux commit fixing the bug
- llc release bug syzbot thread
- CVE page (NVD entry)


*(You read it here first: an exclusive, simple-language security writeup!)*

Timeline

Published on: 03/06/2024 07:15:12 UTC
Last modified on: 01/07/2025 20:17:40 UTC