CVE-2024-39502: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netif_napi_del() doesn't reset the .poll pointer to NULL. So, ionic_qcq_enable() calls napi_enable() for the queue, which was unregistered by netif_napi_del(). Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4 Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? napi_enable+0x3b/0x40 ? do_error_trap+0x83/0xb0 ? napi_enable+0x3b/0x40 ? napi_enable+0x3b/0x40 ? exc_invalid_op+0x4e/0x70 ? napi_enable+0x3b/0x40 ? asm_exc_invalid_op+0x16/0x20 ? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] process_one_work+0x145/0x360 worker_thread+0x2bb/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30
AI Analysis
Technical Summary
CVE-2024-39502 is a use-after-free vulnerability in the Linux kernel's network driver subsystem, specifically affecting the 'ionic' network driver. The flaw arises from improper handling of napi (New API) structures related to network queue management. When network queues are configured, netif_napi_add() and napi_enable() functions are called to register and enable napi polling for active queues. However, if some queues are unused, only the active queues' napi should be registered and enabled. The vulnerability occurs because netif_napi_del(), which unregisters napi from a queue, does not reset the .poll pointer to NULL. The ionic_qcq_enable() function relies on the .poll pointer being NULL to determine if a queue's napi is unregistered. Due to this, ionic_qcq_enable() may mistakenly call napi_enable() on a napi structure that has already been unregistered, leading to a use-after-free condition. This can cause kernel crashes (kernel BUG) and invalid opcode exceptions, as demonstrated by the provided kernel oops logs. The issue can be reproduced by manipulating the number of RX, TX, and combined queues on an interface using ethtool commands. The vulnerability affects Linux kernel versions around 6.10.0-rc2+ and is specific to the ionic driver, which is used for certain network interface cards (NICs). No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The root cause is a logic error in queue management and napi lifecycle handling within the driver code, which can lead to system instability or denial of service due to kernel panics.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected ionic network driver, which is commonly used in data center environments and enterprise-grade NICs. The impact includes potential denial of service (DoS) through kernel crashes, which can disrupt critical network services and server availability. This is particularly concerning for organizations relying on high-availability Linux servers for cloud infrastructure, telecommunications, and financial services. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting system instability could be exploited by attackers to cause outages or degrade service quality. Given the widespread use of Linux in European IT infrastructure, especially in cloud providers and large enterprises, the vulnerability could affect network reliability and operational continuity. Additionally, the complexity of the bug and the need for specific hardware (ionic NICs) somewhat limits the scope but does not eliminate risk for targeted attacks or accidental crashes in affected environments.
Mitigation Recommendations
Organizations should promptly update their Linux kernels to versions where this vulnerability is patched. Since the issue is in the ionic driver, verifying if the deployed systems use this driver is critical. Administrators can check network interface details and driver usage with commands like 'ethtool -i <interface>' and 'lsmod'. If ionic NICs are not in use, the risk is minimal. For systems using ionic NICs, kernel upgrades to versions including the fix should be prioritized. In environments where immediate patching is not feasible, temporarily disabling or avoiding configuration changes to network queues via ethtool can reduce the risk of triggering the bug. Monitoring kernel logs for oops or BUG messages related to napi_enable or ionic functions can help detect attempts to exploit or accidental triggers. Network segmentation and limiting administrative access to systems with ionic NICs can reduce the attack surface. Finally, coordinating with hardware vendors for updated drivers and firmware may provide additional stability improvements.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2024-39502: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netif_napi_del() doesn't reset the .poll pointer to NULL. So, ionic_qcq_enable() calls napi_enable() for the queue, which was unregistered by netif_napi_del(). Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4 Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? napi_enable+0x3b/0x40 ? do_error_trap+0x83/0xb0 ? napi_enable+0x3b/0x40 ? napi_enable+0x3b/0x40 ? exc_invalid_op+0x4e/0x70 ? napi_enable+0x3b/0x40 ? asm_exc_invalid_op+0x16/0x20 ? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] process_one_work+0x145/0x360 worker_thread+0x2bb/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30
AI-Powered Analysis
Technical Analysis
CVE-2024-39502 is a use-after-free vulnerability in the Linux kernel's network driver subsystem, specifically affecting the 'ionic' network driver. The flaw arises from improper handling of napi (New API) structures related to network queue management. When network queues are configured, netif_napi_add() and napi_enable() functions are called to register and enable napi polling for active queues. However, if some queues are unused, only the active queues' napi should be registered and enabled. The vulnerability occurs because netif_napi_del(), which unregisters napi from a queue, does not reset the .poll pointer to NULL. The ionic_qcq_enable() function relies on the .poll pointer being NULL to determine if a queue's napi is unregistered. Due to this, ionic_qcq_enable() may mistakenly call napi_enable() on a napi structure that has already been unregistered, leading to a use-after-free condition. This can cause kernel crashes (kernel BUG) and invalid opcode exceptions, as demonstrated by the provided kernel oops logs. The issue can be reproduced by manipulating the number of RX, TX, and combined queues on an interface using ethtool commands. The vulnerability affects Linux kernel versions around 6.10.0-rc2+ and is specific to the ionic driver, which is used for certain network interface cards (NICs). No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The root cause is a logic error in queue management and napi lifecycle handling within the driver code, which can lead to system instability or denial of service due to kernel panics.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected ionic network driver, which is commonly used in data center environments and enterprise-grade NICs. The impact includes potential denial of service (DoS) through kernel crashes, which can disrupt critical network services and server availability. This is particularly concerning for organizations relying on high-availability Linux servers for cloud infrastructure, telecommunications, and financial services. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting system instability could be exploited by attackers to cause outages or degrade service quality. Given the widespread use of Linux in European IT infrastructure, especially in cloud providers and large enterprises, the vulnerability could affect network reliability and operational continuity. Additionally, the complexity of the bug and the need for specific hardware (ionic NICs) somewhat limits the scope but does not eliminate risk for targeted attacks or accidental crashes in affected environments.
Mitigation Recommendations
Organizations should promptly update their Linux kernels to versions where this vulnerability is patched. Since the issue is in the ionic driver, verifying if the deployed systems use this driver is critical. Administrators can check network interface details and driver usage with commands like 'ethtool -i <interface>' and 'lsmod'. If ionic NICs are not in use, the risk is minimal. For systems using ionic NICs, kernel upgrades to versions including the fix should be prioritized. In environments where immediate patching is not feasible, temporarily disabling or avoiding configuration changes to network queues via ethtool can reduce the risk of triggering the bug. Monitoring kernel logs for oops or BUG messages related to napi_enable or ionic functions can help detect attempts to exploit or accidental triggers. Network segmentation and limiting administrative access to systems with ionic NICs can reduce the attack surface. Finally, coordinating with hardware vendors for updated drivers and firmware may provide additional stability improvements.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-25T14:23:23.752Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2d9c
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:55:23 PM
Last updated: 7/28/2025, 2:01:50 PM
Views: 11
Related Threats
CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighCVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.