CVE-2024-50036

HIGH EPSS 14.9%
Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
High
Find Similar
Published Oct 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.

CVSS Details

Base Score
7.0
Exploitability
1.0
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
14.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥3.10.50  –  <3.11
linuxlinux_kernel*≥3.12.26  –  <3.13
linuxlinux_kernel*≥3.14.14  –  <3.15
linuxlinux_kernel*≥3.15.7  –  <3.16
linuxlinux_kernel*≥3.16  –  <6.6.57
linuxlinux_kernel*≥6.7  –  <6.11.4
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a
  • git.kernel.org https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f
  • git.kernel.org https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96
  • git.kernel.org https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd
    Patch