CVE-2024-26669: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---
AI Analysis
Technical Summary
CVE-2024-26669 is a vulnerability identified in the Linux kernel's network scheduler (net/sched) subsystem, specifically affecting the 'flower' classifier used for flow offloading. The issue arises during the deletion of a queuing discipline (qdisc) from a network device. Normally, when a qdisc is deleted, the kernel stack instructs the underlying network driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. Subsequently, the kernel iterates over the chains in the filter block and invokes the 'reoffload' operation of the classifier, which emits 'FLOW_CLS_DESTROY' commands to clean up filters. However, the vulnerability stems from the fact that this cleanup process does not extend to chain templates. As a result, the underlying driver never receives the 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted, causing a memory leak due to unreleased chain template objects. This leak can accumulate over time, potentially leading to resource exhaustion. The root cause is linked to a commit that reordered the calls to tcf_block_offload_unbind() and tcf_block_flush_all_chains() in the __tcf_block_put() function, which changed the cleanup sequence. Reversing this order is not feasible because the filter block must be freed only after flushing all chains. The fix involves introducing a new 'tmplt_reoffload' operation that the kernel stack invokes during the replay process, ensuring that the 'FLOW_CLS_TMPLT_DESTROY' command is sent appropriately. This operation has been implemented in the flower classifier, which is the sole classifier supporting chain templates. Exploitation requires the ability to manipulate qdiscs and flow offload configurations on a Linux system, typically achievable by users with administrative privileges or through compromised systems. The vulnerability does not directly lead to code execution or privilege escalation but can cause memory leaks that degrade system stability and performance over time, potentially leading to denial of service (DoS) conditions. There are no known exploits in the wild at this time.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to network infrastructure stability and availability. Linux is widely deployed across servers, network appliances, and embedded devices in Europe, including critical infrastructure, telecommunications, and enterprise environments. Systems that utilize advanced traffic control features with the flower classifier for flow offloading are particularly susceptible. The memory leak can lead to gradual resource exhaustion, causing network devices or servers to become unresponsive or crash, resulting in service disruptions. In environments with high network traffic and frequent qdisc modifications, the impact could be more pronounced. Although the vulnerability does not directly compromise confidentiality or integrity, the resulting denial of service could affect business continuity, especially for organizations relying on Linux-based networking equipment or virtualized network functions. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental resource depletion.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce the 'tmplt_reoffload' operation and fix the chain template offload cleanup process as soon as they become available from trusted Linux distributions or kernel maintainers. 2. Monitor and audit network device configurations, especially qdisc and flow offload settings, to detect unusual or frequent changes that could exacerbate the memory leak. 3. Limit administrative access to network configuration interfaces to trusted personnel and enforce strict privilege controls to prevent unauthorized manipulation of qdiscs. 4. Implement resource monitoring on critical Linux systems to track memory usage trends and detect anomalies indicative of leaks. 5. Consider temporarily disabling or avoiding the use of chain templates and flower classifier offloading features in environments where stability is critical until patches are applied. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential service disruptions caused by this vulnerability. 7. Engage with Linux distribution vendors and network hardware providers to ensure timely updates and guidance specific to affected products.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26669: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26669 is a vulnerability identified in the Linux kernel's network scheduler (net/sched) subsystem, specifically affecting the 'flower' classifier used for flow offloading. The issue arises during the deletion of a queuing discipline (qdisc) from a network device. Normally, when a qdisc is deleted, the kernel stack instructs the underlying network driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. Subsequently, the kernel iterates over the chains in the filter block and invokes the 'reoffload' operation of the classifier, which emits 'FLOW_CLS_DESTROY' commands to clean up filters. However, the vulnerability stems from the fact that this cleanup process does not extend to chain templates. As a result, the underlying driver never receives the 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted, causing a memory leak due to unreleased chain template objects. This leak can accumulate over time, potentially leading to resource exhaustion. The root cause is linked to a commit that reordered the calls to tcf_block_offload_unbind() and tcf_block_flush_all_chains() in the __tcf_block_put() function, which changed the cleanup sequence. Reversing this order is not feasible because the filter block must be freed only after flushing all chains. The fix involves introducing a new 'tmplt_reoffload' operation that the kernel stack invokes during the replay process, ensuring that the 'FLOW_CLS_TMPLT_DESTROY' command is sent appropriately. This operation has been implemented in the flower classifier, which is the sole classifier supporting chain templates. Exploitation requires the ability to manipulate qdiscs and flow offload configurations on a Linux system, typically achievable by users with administrative privileges or through compromised systems. The vulnerability does not directly lead to code execution or privilege escalation but can cause memory leaks that degrade system stability and performance over time, potentially leading to denial of service (DoS) conditions. There are no known exploits in the wild at this time.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to network infrastructure stability and availability. Linux is widely deployed across servers, network appliances, and embedded devices in Europe, including critical infrastructure, telecommunications, and enterprise environments. Systems that utilize advanced traffic control features with the flower classifier for flow offloading are particularly susceptible. The memory leak can lead to gradual resource exhaustion, causing network devices or servers to become unresponsive or crash, resulting in service disruptions. In environments with high network traffic and frequent qdisc modifications, the impact could be more pronounced. Although the vulnerability does not directly compromise confidentiality or integrity, the resulting denial of service could affect business continuity, especially for organizations relying on Linux-based networking equipment or virtualized network functions. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental resource depletion.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce the 'tmplt_reoffload' operation and fix the chain template offload cleanup process as soon as they become available from trusted Linux distributions or kernel maintainers. 2. Monitor and audit network device configurations, especially qdisc and flow offload settings, to detect unusual or frequent changes that could exacerbate the memory leak. 3. Limit administrative access to network configuration interfaces to trusted personnel and enforce strict privilege controls to prevent unauthorized manipulation of qdiscs. 4. Implement resource monitoring on critical Linux systems to track memory usage trends and detect anomalies indicative of leaks. 5. Consider temporarily disabling or avoiding the use of chain templates and flower classifier offloading features in environments where stability is critical until patches are applied. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential service disruptions caused by this vulnerability. 7. Engage with Linux distribution vendors and network hardware providers to ensure timely updates and guidance specific to affected products.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.150Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe431e
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:55:51 PM
Last updated: 7/26/2025, 1:32:47 AM
Views: 17
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.