CVE-2024-46800

HIGH

Linux Kernel Use-After-Free in netem_dequeue (3.3-6.10.9)

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF

References (10)

Core 10
Core References

Scores

CVSS v3 7.8
EPSS 0.0027
EPSS Percentile 18.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (27)
linux/Kernel 3.3.0 - 4.19.322linux
linux/Kernel 4.20.0 - 5.4.284linux
linux/Kernel 5.11.0 - 5.15.167linux
linux/Kernel 5.16.0 - 6.1.110linux
linux/Kernel 5.5.0 - 5.10.226linux
linux/Kernel 6.2.0 - 6.6.51linux
linux/Kernel 6.7.0 - 6.10.10linux
Linux/Linux < 3.3
Linux/Linux 3.3
Linux/Linux 4.19.322 - 4.19.*
... and 17 more
Published Sep 18, 2024
Tracked Since Feb 18, 2026