CVE-2024-35854: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
AI Analysis
Technical Summary
CVE-2024-35854 is a high-severity use-after-free vulnerability in the Linux kernel's mlxsw (Mellanox switch) driver, specifically within the spectrum_acl_tcam component responsible for managing Access Control List (ACL) filters in TCAM (Ternary Content-Addressable Memory). The vulnerability arises during the rehashing process, which migrates ACL filters from one TCAM region to another based on available credits. The flawed logic assumes that a non-negative credit count indicates successful migration, leading to the destruction of the source region. However, this assumption is incorrect because a non-negative credit count can also result from a failed migration. Consequently, the source region may be destroyed while still being referenced by filters, causing a use-after-free condition. This can lead to kernel memory corruption, crashes, or potentially arbitrary code execution within kernel space. The issue was detected through Kernel Address Sanitizer (KASAN) reports, showing slab-use-after-free errors during region entry removal. The vulnerability affects Linux kernel versions including the 6.9.0-rc2 release candidate and likely other versions using the affected mlxsw driver. Exploitation requires local privileges (PR:L) but no user interaction (UI:N) and can be performed remotely over the network (AV:N) due to the nature of the mlxsw driver handling network traffic. The CVSS v3.1 score is 8.8, indicating high severity with impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The fix involves correcting the logic to avoid destroying TCAM regions if migration fails, preventing use-after-free conditions.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and data centers relying on Linux-based network infrastructure utilizing Mellanox hardware or compatible switches. The mlxsw driver is commonly used in high-performance networking environments, including cloud providers, telecom operators, and large-scale data centers prevalent across Europe. Successful exploitation could allow attackers with local access or network-level access to cause kernel crashes, leading to denial of service, or potentially escalate privileges to execute arbitrary code in kernel space, compromising system confidentiality and integrity. This could disrupt critical services, impact data privacy, and undermine trust in network security. Given the widespread use of Linux in European IT environments and the strategic importance of telecommunications and cloud infrastructure, the vulnerability could have cascading effects on service availability and data protection compliance under regulations like GDPR.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-35854 as soon as they become available. Until patches are deployed, organizations should: 1) Restrict access to systems running vulnerable Linux kernels with mlxsw drivers to trusted personnel only, minimizing local privilege escalation risks. 2) Monitor kernel logs and system behavior for signs of use-after-free errors or crashes related to mlxsw components. 3) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 4) For network devices using Mellanox hardware, coordinate with vendors for firmware and driver updates. 5) Implement network segmentation to limit exposure of vulnerable systems to untrusted networks. 6) Conduct thorough vulnerability scanning and asset inventory to identify affected systems accurately. 7) Develop incident response plans specific to kernel-level compromises to ensure rapid containment and recovery.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-35854: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
AI-Powered Analysis
Technical Analysis
CVE-2024-35854 is a high-severity use-after-free vulnerability in the Linux kernel's mlxsw (Mellanox switch) driver, specifically within the spectrum_acl_tcam component responsible for managing Access Control List (ACL) filters in TCAM (Ternary Content-Addressable Memory). The vulnerability arises during the rehashing process, which migrates ACL filters from one TCAM region to another based on available credits. The flawed logic assumes that a non-negative credit count indicates successful migration, leading to the destruction of the source region. However, this assumption is incorrect because a non-negative credit count can also result from a failed migration. Consequently, the source region may be destroyed while still being referenced by filters, causing a use-after-free condition. This can lead to kernel memory corruption, crashes, or potentially arbitrary code execution within kernel space. The issue was detected through Kernel Address Sanitizer (KASAN) reports, showing slab-use-after-free errors during region entry removal. The vulnerability affects Linux kernel versions including the 6.9.0-rc2 release candidate and likely other versions using the affected mlxsw driver. Exploitation requires local privileges (PR:L) but no user interaction (UI:N) and can be performed remotely over the network (AV:N) due to the nature of the mlxsw driver handling network traffic. The CVSS v3.1 score is 8.8, indicating high severity with impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The fix involves correcting the logic to avoid destroying TCAM regions if migration fails, preventing use-after-free conditions.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and data centers relying on Linux-based network infrastructure utilizing Mellanox hardware or compatible switches. The mlxsw driver is commonly used in high-performance networking environments, including cloud providers, telecom operators, and large-scale data centers prevalent across Europe. Successful exploitation could allow attackers with local access or network-level access to cause kernel crashes, leading to denial of service, or potentially escalate privileges to execute arbitrary code in kernel space, compromising system confidentiality and integrity. This could disrupt critical services, impact data privacy, and undermine trust in network security. Given the widespread use of Linux in European IT environments and the strategic importance of telecommunications and cloud infrastructure, the vulnerability could have cascading effects on service availability and data protection compliance under regulations like GDPR.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-35854 as soon as they become available. Until patches are deployed, organizations should: 1) Restrict access to systems running vulnerable Linux kernels with mlxsw drivers to trusted personnel only, minimizing local privilege escalation risks. 2) Monitor kernel logs and system behavior for signs of use-after-free errors or crashes related to mlxsw components. 3) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 4) For network devices using Mellanox hardware, coordinate with vendors for firmware and driver updates. 5) Implement network segmentation to limit exposure of vulnerable systems to untrusted networks. 6) Conduct thorough vulnerability scanning and asset inventory to identify affected systems accurately. 7) Develop incident response plans specific to kernel-level compromises to ensure rapid containment and recovery.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.106Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe367e
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 7/3/2025, 1:39:36 AM
Last updated: 7/27/2025, 1:48:18 AM
Views: 10
Related Threats
CVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalCVE-2025-8838: Improper Authentication in WinterChenS my-site
MediumCVE-2025-8837: Use After Free in JasPer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.