CVE-2024-35852: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work The rehash delayed work is rescheduled with a delay if the number of credits at end of the work is not negative as supposedly it means that the migration ended. Otherwise, it is rescheduled immediately. After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash" the above is no longer accurate as a non-negative number of credits is no longer indicative of the migration being done. It can also happen if the work encountered an error in which case the migration will resume the next time the work is scheduled. The significance of the above is that it is possible for the work to be pending and associated with hints that were allocated when the migration started. This leads to the hints being leaked [1] when the work is canceled while pending as part of ACL region dismantle. Fix by freeing the hints if hints are associated with a work that was canceled while pending. Blame the original commit since the reliance on not having a pending work associated with hints is fragile. [1] unreferenced object 0xffff88810e7c3000 (size 256): comm "kworker/0:16", pid 176, jiffies 4295460353 hex dump (first 32 bytes): 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a....... 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@........... backtrace (crc 2544ddb9): [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0 [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390 [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400 [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160 [<00000000e81fd734>] process_one_work+0x59c/0xf20 [<00000000ceee9e81>] worker_thread+0x799/0x12c0 [<00000000bda6fe39>] kthread+0x246/0x300 [<0000000070056d23>] ret_from_fork+0x34/0x70 [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30
AI Analysis
Technical Summary
CVE-2024-35852 is a vulnerability identified in the Linux kernel's mlxsw (Mellanox switch) driver, specifically within the spectrum_acl_tcam module that manages Access Control List (ACL) TCAM (Ternary Content Addressable Memory) rehash operations. The vulnerability arises from a memory leak caused by improper handling of delayed rehash work cancellation. The kernel schedules rehash work to migrate ACL regions, relying on a credit counter to determine if the migration has completed. However, after a prior fix addressing a use-after-free issue, the logic determining migration completion based on non-negative credits became unreliable. This can lead to a scenario where rehash work remains pending with associated 'hints' data structures allocated at the start of migration. If this work is canceled while still pending, the hints are not freed, resulting in a memory leak. The leak is evidenced by unreferenced kernel objects detected during runtime, as shown in the provided kernel backtrace. Although this vulnerability does not directly lead to code execution or privilege escalation, it can degrade system stability and reliability by exhausting kernel memory resources over time, especially in environments with frequent ACL rehash operations. The issue affects Linux kernel versions containing the specified commit hash and is resolved by ensuring that hints are freed when pending work is canceled. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-35852 primarily concerns network infrastructure stability and reliability. Organizations relying on Linux-based systems with Mellanox networking hardware or similar configurations that utilize the mlxsw driver for ACL management could experience gradual memory exhaustion due to the leak, potentially leading to degraded network performance or kernel crashes. This is particularly relevant for data centers, cloud providers, telecommunications companies, and enterprises with high network traffic and complex ACL policies. While the vulnerability does not directly compromise confidentiality or integrity, the availability of critical network services could be affected, causing operational disruptions. In sectors such as finance, healthcare, and critical infrastructure within Europe, even transient network outages can have significant regulatory and business consequences. The absence of known active exploitation reduces immediate risk, but the vulnerability warrants timely patching to prevent potential future abuse or inadvertent system failures.
Mitigation Recommendations
To mitigate CVE-2024-35852, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring the mlxsw driver includes the fix for proper freeing of hints during canceled rehash work. 2) Monitor kernel logs and system metrics for signs of memory leaks or unusual resource consumption related to ACL rehash operations, enabling early detection of potential exploitation or system degradation. 3) Implement strict change management and testing procedures for kernel updates in production environments to minimize downtime. 4) For environments where immediate patching is not feasible, consider temporarily reducing the frequency of ACL rehash operations or adjusting ACL configurations to limit triggering the vulnerable code path. 5) Engage with hardware vendors and Linux distribution maintainers to confirm the presence of the fix in vendor-supplied kernel versions and coordinate timely updates. 6) Maintain comprehensive backups and recovery plans to address potential system instability caused by kernel memory leaks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-35852: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work The rehash delayed work is rescheduled with a delay if the number of credits at end of the work is not negative as supposedly it means that the migration ended. Otherwise, it is rescheduled immediately. After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash" the above is no longer accurate as a non-negative number of credits is no longer indicative of the migration being done. It can also happen if the work encountered an error in which case the migration will resume the next time the work is scheduled. The significance of the above is that it is possible for the work to be pending and associated with hints that were allocated when the migration started. This leads to the hints being leaked [1] when the work is canceled while pending as part of ACL region dismantle. Fix by freeing the hints if hints are associated with a work that was canceled while pending. Blame the original commit since the reliance on not having a pending work associated with hints is fragile. [1] unreferenced object 0xffff88810e7c3000 (size 256): comm "kworker/0:16", pid 176, jiffies 4295460353 hex dump (first 32 bytes): 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a....... 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@........... backtrace (crc 2544ddb9): [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0 [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390 [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400 [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160 [<00000000e81fd734>] process_one_work+0x59c/0xf20 [<00000000ceee9e81>] worker_thread+0x799/0x12c0 [<00000000bda6fe39>] kthread+0x246/0x300 [<0000000070056d23>] ret_from_fork+0x34/0x70 [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30
AI-Powered Analysis
Technical Analysis
CVE-2024-35852 is a vulnerability identified in the Linux kernel's mlxsw (Mellanox switch) driver, specifically within the spectrum_acl_tcam module that manages Access Control List (ACL) TCAM (Ternary Content Addressable Memory) rehash operations. The vulnerability arises from a memory leak caused by improper handling of delayed rehash work cancellation. The kernel schedules rehash work to migrate ACL regions, relying on a credit counter to determine if the migration has completed. However, after a prior fix addressing a use-after-free issue, the logic determining migration completion based on non-negative credits became unreliable. This can lead to a scenario where rehash work remains pending with associated 'hints' data structures allocated at the start of migration. If this work is canceled while still pending, the hints are not freed, resulting in a memory leak. The leak is evidenced by unreferenced kernel objects detected during runtime, as shown in the provided kernel backtrace. Although this vulnerability does not directly lead to code execution or privilege escalation, it can degrade system stability and reliability by exhausting kernel memory resources over time, especially in environments with frequent ACL rehash operations. The issue affects Linux kernel versions containing the specified commit hash and is resolved by ensuring that hints are freed when pending work is canceled. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-35852 primarily concerns network infrastructure stability and reliability. Organizations relying on Linux-based systems with Mellanox networking hardware or similar configurations that utilize the mlxsw driver for ACL management could experience gradual memory exhaustion due to the leak, potentially leading to degraded network performance or kernel crashes. This is particularly relevant for data centers, cloud providers, telecommunications companies, and enterprises with high network traffic and complex ACL policies. While the vulnerability does not directly compromise confidentiality or integrity, the availability of critical network services could be affected, causing operational disruptions. In sectors such as finance, healthcare, and critical infrastructure within Europe, even transient network outages can have significant regulatory and business consequences. The absence of known active exploitation reduces immediate risk, but the vulnerability warrants timely patching to prevent potential future abuse or inadvertent system failures.
Mitigation Recommendations
To mitigate CVE-2024-35852, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring the mlxsw driver includes the fix for proper freeing of hints during canceled rehash work. 2) Monitor kernel logs and system metrics for signs of memory leaks or unusual resource consumption related to ACL rehash operations, enabling early detection of potential exploitation or system degradation. 3) Implement strict change management and testing procedures for kernel updates in production environments to minimize downtime. 4) For environments where immediate patching is not feasible, consider temporarily reducing the frequency of ACL rehash operations or adjusting ACL configurations to limit triggering the vulnerable code path. 5) Engage with hardware vendors and Linux distribution maintainers to confirm the presence of the fix in vendor-supplied kernel versions and coordinate timely updates. 6) Maintain comprehensive backups and recovery plans to address potential system instability caused by kernel memory leaks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.106Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3676
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:40:59 PM
Last updated: 7/31/2025, 7:42:04 PM
Views: 15
Related Threats
CVE-2025-36000: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM WebSphere Application Server Liberty
MediumCVE-2025-55169: CWE-287: Improper Authentication in LabRedesCefetRJ WeGIA
CriticalCVE-2025-43734: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-36124: CWE-268 Privilege Chaining in IBM WebSphere Application Server Liberty
MediumCVE-2025-55168: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.