CVE-2024-35853: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem. Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from. The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1]. Fix by not rolling back a failed rollback and add a warning to avoid future cases. [1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2024-35853 is a vulnerability identified in the Linux kernel, specifically within the mlxsw driver component responsible for managing Spectrum switch ACL (Access Control List) TCAM (Ternary Content-Addressable Memory) regions. The issue arises during the rehashing process, which is a delayed work task that migrates filters (rules) from one region to another to maintain ACL functionality. The vulnerability is caused by improper handling of rollback operations when a migration fails. The code attempts to revert filters back to the original region if migration fails, but if this rollback itself fails, the code erroneously attempts another migration, creating a 'ping pong' effect. This leads to a memory leak because the virtual chunk structure references two chunks: the currently used chunk and a backup chunk. The code assumes the backup chunk is NULL if the current chunk does not reference the target region, but this assumption breaks during a rollback of a rollback, causing the backup chunk to be overwritten and leaked. This flaw can cause resource exhaustion and potential instability in the kernel module managing ACLs. The vulnerability has been fixed by preventing rollback of a failed rollback and adding warnings to avoid future similar cases. The issue was observed on Linux kernel version 6.9.0-rc2 with Mellanox Technologies hardware, but it may affect other versions using the mlxsw driver. The CVSS score is 6.4 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability (primarily availability). No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability could impact any infrastructure relying on Linux systems with Mellanox Spectrum switches or similar hardware using the mlxsw driver for ACL management. The memory leak and instability caused by this vulnerability could lead to degraded network performance, denial of service, or system crashes affecting critical network functions. This is particularly relevant for data centers, cloud providers, telecom operators, and enterprises with high network traffic and complex ACL configurations. The disruption could affect availability of network services and potentially lead to increased operational costs due to troubleshooting and downtime. Although the vulnerability does not directly allow privilege escalation or remote code execution, the denial of service impact on network infrastructure could have cascading effects on business continuity and service delivery in sectors such as finance, healthcare, and government services across Europe.
Mitigation Recommendations
Organizations should promptly apply the Linux kernel patches that address this vulnerability once available from their Linux distribution vendors. Specifically, updating to a kernel version that includes the fix preventing rollback of a failed rollback in the mlxsw driver is critical. Network administrators should audit their use of Spectrum ACL TCAM features and monitor kernel logs for related warnings or errors indicating potential exploitation or instability. Implementing kernel live patching where supported can reduce downtime during patch deployment. Additionally, organizations should consider isolating critical network functions on hardware or virtual machines not affected by this vulnerability until patches are applied. Regularly reviewing and testing ACL configurations to minimize complex rehash operations can reduce exposure. Finally, maintaining robust monitoring and alerting on network device health and performance will help detect early signs of issues related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-35853: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem. Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from. The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1]. Fix by not rolling back a failed rollback and add a warning to avoid future cases. [1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-35853 is a vulnerability identified in the Linux kernel, specifically within the mlxsw driver component responsible for managing Spectrum switch ACL (Access Control List) TCAM (Ternary Content-Addressable Memory) regions. The issue arises during the rehashing process, which is a delayed work task that migrates filters (rules) from one region to another to maintain ACL functionality. The vulnerability is caused by improper handling of rollback operations when a migration fails. The code attempts to revert filters back to the original region if migration fails, but if this rollback itself fails, the code erroneously attempts another migration, creating a 'ping pong' effect. This leads to a memory leak because the virtual chunk structure references two chunks: the currently used chunk and a backup chunk. The code assumes the backup chunk is NULL if the current chunk does not reference the target region, but this assumption breaks during a rollback of a rollback, causing the backup chunk to be overwritten and leaked. This flaw can cause resource exhaustion and potential instability in the kernel module managing ACLs. The vulnerability has been fixed by preventing rollback of a failed rollback and adding warnings to avoid future similar cases. The issue was observed on Linux kernel version 6.9.0-rc2 with Mellanox Technologies hardware, but it may affect other versions using the mlxsw driver. The CVSS score is 6.4 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability (primarily availability). No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability could impact any infrastructure relying on Linux systems with Mellanox Spectrum switches or similar hardware using the mlxsw driver for ACL management. The memory leak and instability caused by this vulnerability could lead to degraded network performance, denial of service, or system crashes affecting critical network functions. This is particularly relevant for data centers, cloud providers, telecom operators, and enterprises with high network traffic and complex ACL configurations. The disruption could affect availability of network services and potentially lead to increased operational costs due to troubleshooting and downtime. Although the vulnerability does not directly allow privilege escalation or remote code execution, the denial of service impact on network infrastructure could have cascading effects on business continuity and service delivery in sectors such as finance, healthcare, and government services across Europe.
Mitigation Recommendations
Organizations should promptly apply the Linux kernel patches that address this vulnerability once available from their Linux distribution vendors. Specifically, updating to a kernel version that includes the fix preventing rollback of a failed rollback in the mlxsw driver is critical. Network administrators should audit their use of Spectrum ACL TCAM features and monitor kernel logs for related warnings or errors indicating potential exploitation or instability. Implementing kernel live patching where supported can reduce downtime during patch deployment. Additionally, organizations should consider isolating critical network functions on hardware or virtual machines not affected by this vulnerability until patches are applied. Regularly reviewing and testing ACL configurations to minimize complex rehash operations can reduce exposure. Finally, maintaining robust monitoring and alerting on network device health and performance will help detect early signs of issues related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.106Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe367a
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:41:23 PM
Last updated: 8/14/2025, 2:14:47 AM
Views: 14
Related Threats
CVE-2025-9235: Cross Site Scripting in Scada-LTS
MediumCVE-2025-9234: Cross Site Scripting in Scada-LTS
MediumCVE-2025-46856: Cross-site Scripting (DOM-based XSS) (CWE-79) in Adobe Adobe Experience Manager
MediumCVE-2025-46852: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Experience Manager
MediumCVE-2025-46849: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Experience Manager
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.