We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-50036

net: do not delay dst_entries_add() in dst_release()



Description

In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.

Reserved 2024-10-21 | Published 2024-10-21 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

f88649721268999bdff09777847080a52004f691 before 547087307bc19417b4f2bc85ba9664a3e8db5a6a
affected

f88649721268999bdff09777847080a52004f691 before e3915f028b1f1c37e87542e5aadd33728c259d96
affected

f88649721268999bdff09777847080a52004f691 before a60db84f772fc3a906c6c4072f9207579c41166f
affected

f88649721268999bdff09777847080a52004f691 before eae7435b48ffc8e9be0ff9cfeae40af479a609dd
affected

f88649721268999bdff09777847080a52004f691 before 3c7c918ec0aa3555372c5a57f18780b7a96c5cfc
affected

f88649721268999bdff09777847080a52004f691 before ac888d58869bb99753e7652be19a151df9ecb35d
affected

86e48c03d774e01ccd71ecba4fc4b5c2bc0b5b41
affected

591b1e1bb40152e22cee757f493046a0ca946bf8
affected

df90819dafcd6b97fc665f63a15752a570e227a2
affected

9a4fe697023dbe6c25caa1f8b2153af869a29bd2
affected

Default status
affected

3.16
affected

Any version before 3.16
unaffected

5.10.230
unaffected

5.15.172
unaffected

6.1.117
unaffected

6.6.57
unaffected

6.11.4
unaffected

6.12
unaffected

References

git.kernel.org/...c/547087307bc19417b4f2bc85ba9664a3e8db5a6a

git.kernel.org/...c/e3915f028b1f1c37e87542e5aadd33728c259d96

git.kernel.org/...c/a60db84f772fc3a906c6c4072f9207579c41166f

git.kernel.org/...c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd

git.kernel.org/...c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc

git.kernel.org/...c/ac888d58869bb99753e7652be19a151df9ecb35d

cve.org (CVE-2024-50036)

nvd.nist.gov (CVE-2024-50036)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-50036

Support options

Helpdesk Chat, Email, Knowledgebase