CVE-2024-35960: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle.
AI Analysis
Technical Summary
CVE-2024-35960 is a critical vulnerability in the Linux kernel's mlx5 network driver component, specifically within the flow rule management subsystem. The issue arises from improper handling of flow steering (fs) rules in the mlx5 driver, which is responsible for managing network flow rules for Mellanox (now NVIDIA) network devices. The vulnerability is due to inconsistent linking of newly created flow steering rules into the internal data structure tree. The function add_rule_fg only linked newly created rules into the tree if their reference count was exactly one. However, the create_flow_handle function attempts to find and reference existing identical rules to avoid duplication, which can lead to a rule being referenced multiple times during the same handle creation. This results in a rule with a reference count greater than one but not linked into the tree, having NULL parent and root pointers. When such a rule is deleted, the del_sw_hw_rule function assumes the parent pointer is non-NULL and attempts to access it, causing a kernel crash (NULL pointer dereference). This can lead to a denial of service (DoS) by crashing the kernel. The vulnerability was triggered in the wild due to another bug involving incorrect handling of duplicate pkt_reformat IDs, which caused create_flow_handle to incorrectly reference a just-added rule twice. The patch fixes this by ensuring that add_rule_fg adds new rules without parents into the tree properly, initializing them to avoid the crash. The CVSS v3.1 score is 9.1 (critical), reflecting the vulnerability's potential to cause high impact on system integrity and availability without requiring privileges or user interaction. The vulnerability affects Linux kernel versions containing the vulnerable mlx5 driver code prior to the patch. No known exploits are reported in the wild yet, but the critical nature and ease of exploitation (network attack vector, no privileges required) make this a significant threat to Linux systems using affected network drivers.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability and integrity of Linux-based systems, particularly those using Mellanox/NVIDIA mlx5 network adapters, which are common in data centers, cloud infrastructure, and high-performance computing environments. Exploitation can cause kernel crashes leading to denial of service, potentially disrupting critical services such as web hosting, cloud platforms, telecommunications, and financial systems. Since the attack vector is network-based and requires no authentication or user interaction, attackers can remotely trigger the vulnerability, increasing the risk of widespread disruption. Organizations relying on Linux servers for critical infrastructure, including telecom providers, cloud service providers, and enterprises with high network throughput demands, are especially vulnerable. The vulnerability could be leveraged as part of a larger attack chain to degrade service availability or as a denial-of-service tool against targeted systems. Given the widespread use of Linux in European IT infrastructure, the impact could be substantial if not mitigated promptly.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-35960 as soon as they become available from their Linux distribution vendors. Since the vulnerability is in the mlx5 driver, organizations should verify if their systems use Mellanox/NVIDIA network adapters and confirm the kernel version and driver version in use. For systems where immediate patching is not feasible, temporary mitigations include disabling or unloading the mlx5 driver if network functionality permits or isolating vulnerable systems from untrusted networks to reduce exposure. Network segmentation and strict firewall rules can limit access to vulnerable hosts. Monitoring kernel logs for crashes or anomalies related to mlx5 flow rules can help detect exploitation attempts. Additionally, organizations should review and update their incident response plans to include scenarios involving kernel-level denial of service. Coordination with hardware vendors and Linux distribution maintainers is recommended to ensure timely updates and guidance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-35960: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle.
AI-Powered Analysis
Technical Analysis
CVE-2024-35960 is a critical vulnerability in the Linux kernel's mlx5 network driver component, specifically within the flow rule management subsystem. The issue arises from improper handling of flow steering (fs) rules in the mlx5 driver, which is responsible for managing network flow rules for Mellanox (now NVIDIA) network devices. The vulnerability is due to inconsistent linking of newly created flow steering rules into the internal data structure tree. The function add_rule_fg only linked newly created rules into the tree if their reference count was exactly one. However, the create_flow_handle function attempts to find and reference existing identical rules to avoid duplication, which can lead to a rule being referenced multiple times during the same handle creation. This results in a rule with a reference count greater than one but not linked into the tree, having NULL parent and root pointers. When such a rule is deleted, the del_sw_hw_rule function assumes the parent pointer is non-NULL and attempts to access it, causing a kernel crash (NULL pointer dereference). This can lead to a denial of service (DoS) by crashing the kernel. The vulnerability was triggered in the wild due to another bug involving incorrect handling of duplicate pkt_reformat IDs, which caused create_flow_handle to incorrectly reference a just-added rule twice. The patch fixes this by ensuring that add_rule_fg adds new rules without parents into the tree properly, initializing them to avoid the crash. The CVSS v3.1 score is 9.1 (critical), reflecting the vulnerability's potential to cause high impact on system integrity and availability without requiring privileges or user interaction. The vulnerability affects Linux kernel versions containing the vulnerable mlx5 driver code prior to the patch. No known exploits are reported in the wild yet, but the critical nature and ease of exploitation (network attack vector, no privileges required) make this a significant threat to Linux systems using affected network drivers.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability and integrity of Linux-based systems, particularly those using Mellanox/NVIDIA mlx5 network adapters, which are common in data centers, cloud infrastructure, and high-performance computing environments. Exploitation can cause kernel crashes leading to denial of service, potentially disrupting critical services such as web hosting, cloud platforms, telecommunications, and financial systems. Since the attack vector is network-based and requires no authentication or user interaction, attackers can remotely trigger the vulnerability, increasing the risk of widespread disruption. Organizations relying on Linux servers for critical infrastructure, including telecom providers, cloud service providers, and enterprises with high network throughput demands, are especially vulnerable. The vulnerability could be leveraged as part of a larger attack chain to degrade service availability or as a denial-of-service tool against targeted systems. Given the widespread use of Linux in European IT infrastructure, the impact could be substantial if not mitigated promptly.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-35960 as soon as they become available from their Linux distribution vendors. Since the vulnerability is in the mlx5 driver, organizations should verify if their systems use Mellanox/NVIDIA network adapters and confirm the kernel version and driver version in use. For systems where immediate patching is not feasible, temporary mitigations include disabling or unloading the mlx5 driver if network functionality permits or isolating vulnerable systems from untrusted networks to reduce exposure. Network segmentation and strict firewall rules can limit access to vulnerable hosts. Monitoring kernel logs for crashes or anomalies related to mlx5 flow rules can help detect exploitation attempts. Additionally, organizations should review and update their incident response plans to include scenarios involving kernel-level denial of service. Coordination with hardware vendors and Linux distribution maintainers is recommended to ensure timely updates and guidance.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.137Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe22a9
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 7/3/2025, 12:27:07 AM
Last updated: 8/14/2025, 7:56:44 AM
Views: 15
Related Threats
CVE-2025-5998: CWE-2280 Improper Handling of Insufficient Permissions or Privileges in PPWP – Password Protect Pages
UnknownCVE-2025-8952: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-8951: SQL Injection in PHPGurukul Teachers Record Management System
MediumCVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.