CVE-2024-50036

net: do not delay dst_entries_add() in dst_release()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved:

net: do not delay dst_entries_add() in dst_release()

dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()

Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()

dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.

Decrementing the number of dsts must happen sooner.

Notes:

1) in CONFIG_XFRM case, dst_destroy() can call
dst_release_immediate(child), this might also cause UAF
if the child does not have DST_NOCOUNT set.
IPSEC maintainers might take a look and see how to address this.

2) There is also discussion about removing this count of dst,
which might happen in future kernels.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-10-21 CVE Reserved
2024-10-21 CVE Published
2024-10-21 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/f88649721268999bdff09777847080a52004f691	Vuln. Introduced
https://git.kernel.org/stable/c/86e48c03d774e01ccd71ecba4fc4b5c2bc0b5b41	Vuln. Introduced
https://git.kernel.org/stable/c/591b1e1bb40152e22cee757f493046a0ca946bf8	Vuln. Introduced
https://git.kernel.org/stable/c/df90819dafcd6b97fc665f63a15752a570e227a2	Vuln. Introduced
https://git.kernel.org/stable/c/9a4fe697023dbe6c25caa1f8b2153af869a29bd2	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd	2024-10-17
https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc	2024-10-17
https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d	2024-10-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.6.57 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.6.57"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.11.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.11.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.12-rc3 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.12-rc3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.10.50 Search vendor "Linux" for product "Linux Kernel" and version "3.10.50"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.12.26 Search vendor "Linux" for product "Linux Kernel" and version "3.12.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.14.14 Search vendor "Linux" for product "Linux Kernel" and version "3.14.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.15.7 Search vendor "Linux" for product "Linux Kernel" and version "3.15.7"		en		Affected