CVE-2024-35892: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() is called with the qdisc lock held, not RTNL. We must use qdisc_lookup_rcu() instead of qdisc_lookup() syzbot reported: WARNING: suspicious RCU usage 6.1.74-syzkaller #0 Not tainted ----------------------------- net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by udevd/1142: #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282 #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline] #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297 #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792 stack backtrace: CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> [<ffffffff85b85f14>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff85b85f14>] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106 [<ffffffff85b86007>] dump_stack+0x15/0x1e lib/dump_stack.c:113 [<ffffffff81802299>] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592 [<ffffffff84f0054c>] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305 [<ffffffff84f037c3>] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811 [<ffffffff84f5b78c>] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51 [<ffffffff84fbcf63>] qdisc_enqueue include/net/sch_generic.h:833 [inline] [<ffffffff84fbcf63>] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723 [<ffffffff84eecab9>] dequeue_skb net/sched/sch_generic.c:292 [inline] [<ffffffff84eecab9>] qdisc_restart net/sched/sch_generic.c:397 [inline] [<ffffffff84eecab9>] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415 [<ffffffff84d7aa96>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84d85d29>] net_tx_action+0x7c9/0x970 net/core/dev.c:5313 [<ffffffff85e002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616 [<ffffffff81568bca>] invoke_softirq kernel/softirq.c:447 [inline] [<ffffffff81568bca>] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700 [<ffffffff81568ae9>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712 [<ffffffff85b89f52>] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107 [<ffffffff85c00ccb>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656
AI Analysis
Technical Summary
CVE-2024-35892 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the function qdisc_tree_reduce_backlog() located in net/sched/sch_api.c. The issue arises from improper locking and reference handling: qdisc_tree_reduce_backlog() is called while holding the qdisc lock rather than the RTNL (routing netlink) lock, and the function uses qdisc_lookup() instead of the safer qdisc_lookup_rcu(). This leads to suspicious and potentially unsafe usage of Read-Copy-Update (RCU) primitives, as detected by syzbot, a kernel fuzzing tool. The vulnerability manifests as a lock dependency (lockdep) splat, indicating a potential deadlock or race condition due to incorrect synchronization. The kernel stack trace shows multiple RCU read locks held simultaneously with spinlocks on the qdisc structure, which could cause kernel instability or crashes. The vulnerability is rooted in concurrency control flaws within the packet scheduler's queue discipline (qdisc) management, which is critical for network traffic shaping and queuing. Although no known exploits are currently reported in the wild, the flaw could be leveraged to cause denial of service (DoS) by triggering kernel panics or deadlocks, impacting system availability. The affected Linux kernel versions include several commits identified by their hashes, indicating that this is a recent regression or bug introduced in recent kernel development cycles. The fix involves replacing qdisc_lookup() with qdisc_lookup_rcu() to ensure proper RCU-safe dereferencing and correcting the locking strategy to avoid holding the wrong locks during qdisc operations.
Potential Impact
For European organizations, the impact of CVE-2024-35892 primarily concerns systems running vulnerable Linux kernel versions, especially those deployed in network infrastructure, cloud environments, and edge devices. Since Linux is widely used in servers, network appliances, and embedded systems across Europe, exploitation could lead to denial of service conditions, causing network disruptions or service outages. This is particularly critical for sectors reliant on high availability and real-time network performance, such as telecommunications, finance, healthcare, and critical infrastructure. The vulnerability could be exploited locally or potentially remotely if an attacker can induce specific network traffic patterns or conditions that trigger the flawed qdisc handling. While no remote code execution or privilege escalation is indicated, the ability to cause kernel crashes or deadlocks can disrupt services and require system reboots, impacting operational continuity. Additionally, organizations using Linux-based cloud platforms or container orchestration systems may face cascading effects if underlying hosts become unstable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target kernel vulnerabilities once patches are released.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-35892. Since the vulnerability involves kernel-level locking and RCU usage, patching is the most effective mitigation. System administrators should: 1) Identify all Linux systems running affected kernel versions by checking kernel hashes or version numbers against vendor advisories. 2) Apply vendor-provided kernel updates or backported patches promptly, especially on network-facing and critical infrastructure systems. 3) For environments where immediate patching is challenging, consider isolating vulnerable systems from untrusted networks or restricting network traffic patterns that could trigger the vulnerability. 4) Monitor system logs for kernel warnings related to RCU or lockdep splats, which may indicate attempts to exploit or trigger the flaw. 5) Engage with Linux distribution security teams for guidance on backporting fixes if using long-term support kernels. 6) Implement robust incident response plans to quickly recover from potential kernel crashes or service disruptions. 7) Review and harden network traffic shaping configurations to minimize exposure to malformed or malicious traffic that could exploit the qdisc subsystem.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35892: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() is called with the qdisc lock held, not RTNL. We must use qdisc_lookup_rcu() instead of qdisc_lookup() syzbot reported: WARNING: suspicious RCU usage 6.1.74-syzkaller #0 Not tainted ----------------------------- net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by udevd/1142: #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282 #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline] #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297 #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792 stack backtrace: CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> [<ffffffff85b85f14>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff85b85f14>] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106 [<ffffffff85b86007>] dump_stack+0x15/0x1e lib/dump_stack.c:113 [<ffffffff81802299>] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592 [<ffffffff84f0054c>] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305 [<ffffffff84f037c3>] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811 [<ffffffff84f5b78c>] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51 [<ffffffff84fbcf63>] qdisc_enqueue include/net/sch_generic.h:833 [inline] [<ffffffff84fbcf63>] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723 [<ffffffff84eecab9>] dequeue_skb net/sched/sch_generic.c:292 [inline] [<ffffffff84eecab9>] qdisc_restart net/sched/sch_generic.c:397 [inline] [<ffffffff84eecab9>] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415 [<ffffffff84d7aa96>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84d85d29>] net_tx_action+0x7c9/0x970 net/core/dev.c:5313 [<ffffffff85e002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616 [<ffffffff81568bca>] invoke_softirq kernel/softirq.c:447 [inline] [<ffffffff81568bca>] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700 [<ffffffff81568ae9>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712 [<ffffffff85b89f52>] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107 [<ffffffff85c00ccb>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656
AI-Powered Analysis
Technical Analysis
CVE-2024-35892 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the function qdisc_tree_reduce_backlog() located in net/sched/sch_api.c. The issue arises from improper locking and reference handling: qdisc_tree_reduce_backlog() is called while holding the qdisc lock rather than the RTNL (routing netlink) lock, and the function uses qdisc_lookup() instead of the safer qdisc_lookup_rcu(). This leads to suspicious and potentially unsafe usage of Read-Copy-Update (RCU) primitives, as detected by syzbot, a kernel fuzzing tool. The vulnerability manifests as a lock dependency (lockdep) splat, indicating a potential deadlock or race condition due to incorrect synchronization. The kernel stack trace shows multiple RCU read locks held simultaneously with spinlocks on the qdisc structure, which could cause kernel instability or crashes. The vulnerability is rooted in concurrency control flaws within the packet scheduler's queue discipline (qdisc) management, which is critical for network traffic shaping and queuing. Although no known exploits are currently reported in the wild, the flaw could be leveraged to cause denial of service (DoS) by triggering kernel panics or deadlocks, impacting system availability. The affected Linux kernel versions include several commits identified by their hashes, indicating that this is a recent regression or bug introduced in recent kernel development cycles. The fix involves replacing qdisc_lookup() with qdisc_lookup_rcu() to ensure proper RCU-safe dereferencing and correcting the locking strategy to avoid holding the wrong locks during qdisc operations.
Potential Impact
For European organizations, the impact of CVE-2024-35892 primarily concerns systems running vulnerable Linux kernel versions, especially those deployed in network infrastructure, cloud environments, and edge devices. Since Linux is widely used in servers, network appliances, and embedded systems across Europe, exploitation could lead to denial of service conditions, causing network disruptions or service outages. This is particularly critical for sectors reliant on high availability and real-time network performance, such as telecommunications, finance, healthcare, and critical infrastructure. The vulnerability could be exploited locally or potentially remotely if an attacker can induce specific network traffic patterns or conditions that trigger the flawed qdisc handling. While no remote code execution or privilege escalation is indicated, the ability to cause kernel crashes or deadlocks can disrupt services and require system reboots, impacting operational continuity. Additionally, organizations using Linux-based cloud platforms or container orchestration systems may face cascading effects if underlying hosts become unstable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target kernel vulnerabilities once patches are released.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-35892. Since the vulnerability involves kernel-level locking and RCU usage, patching is the most effective mitigation. System administrators should: 1) Identify all Linux systems running affected kernel versions by checking kernel hashes or version numbers against vendor advisories. 2) Apply vendor-provided kernel updates or backported patches promptly, especially on network-facing and critical infrastructure systems. 3) For environments where immediate patching is challenging, consider isolating vulnerable systems from untrusted networks or restricting network traffic patterns that could trigger the vulnerability. 4) Monitor system logs for kernel warnings related to RCU or lockdep splats, which may indicate attempts to exploit or trigger the flaw. 5) Engage with Linux distribution security teams for guidance on backporting fixes if using long-term support kernels. 6) Implement robust incident response plans to quickly recover from potential kernel crashes or service disruptions. 7) Review and harden network traffic shaping configurations to minimize exposure to malformed or malicious traffic that could exploit the qdisc subsystem.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.113Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddc97
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 3:25:55 AM
Last updated: 8/5/2025, 6:37:31 PM
Views: 11
Related Threats
CVE-2025-9007: Buffer Overflow in Tenda CH22
HighCVE-2025-9006: Buffer Overflow in Tenda CH22
HighCVE-2025-9005: Information Exposure Through Error Message in mtons mblog
MediumCVE-2025-9004: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-9003: Cross Site Scripting in D-Link DIR-818LW
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.