CVE-2024-42142 is a vulnerability identified in the Linux kernel's Mellanox mlx5 Ethernet switch (E-switch) driver component, specifically related to the handling of ingress Access Control Lists (ACLs) in active-backup Link Aggregation Group (LAG) mode. The ingress ACL is a mechanism used to filter or drop network packets entering a virtual port (vport) on the E-switch. Previously, the ingress ACL was created only when certain features were enabled, namely vport metadata matching and priority tagging. However, the active-backup LAG mode also relies on ingress ACLs independently of these features. If the ingress ACL is not created when active-backup LAG mode is used, attempting to create a drop rule triggers a kernel panic, causing a denial of service. The vulnerability arises because the ingress ACL creation logic did not account for active-backup LAG mode unless vport metadata match or priority tagging was enabled. The fix involves conditionally creating the ingress ACL whenever it is needed: if the esw_port_metadata parameter is true and an ingress ACL exists, the drop rule uses the existing ACL; if esw_port_metadata is false, the ingress ACL is created before applying the drop rule. This approach resolves the panic issue while minimizing performance degradation, which would be about 5% if the ACL were always created regardless of need. The vulnerability affects specific Linux kernel versions identified by commit hashes and was published on July 30, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of denial of service through kernel panics on systems using the affected Linux kernel versions with Mellanox mlx5 E-switch drivers configured in active-backup LAG mode. Such configurations are common in data centers and enterprise environments that rely on high-availability network setups and advanced network interface card (NIC) features for load balancing and redundancy. A kernel panic can disrupt critical services, leading to downtime and potential loss of productivity. While this vulnerability does not directly enable remote code execution or privilege escalation, the resulting service interruptions could impact business operations, especially in sectors with stringent uptime requirements such as finance, telecommunications, and cloud service providers. Additionally, the performance trade-off in the fix (approximately 5% degradation) may affect high-throughput environments, requiring careful consideration during patch deployment. Since no exploits are currently known, the immediate risk is moderate, but organizations should proactively patch to prevent future exploitation and maintain network stability.

European organizations should apply the patch or updated Linux kernel version that includes the fix for CVE-2024-42142 as soon as it becomes available. In the interim, administrators can verify and adjust the esw_port_metadata parameter using the devlink command to ensure ingress ACLs are created appropriately, preventing kernel panics. Specifically, running 'devlink dev param set pci/0000:08:00.0 name esw_port_metadata value true cmode runtime' can help maintain ingress ACL presence if active-backup LAG mode is in use. Network teams should audit their use of active-backup LAG mode with Mellanox mlx5 drivers and test the impact of enabling ingress ACL creation on performance to balance stability and throughput. Monitoring kernel logs for panic events related to ingress ACLs can provide early detection of issues. Finally, organizations should incorporate this vulnerability into their patch management and vulnerability scanning processes to ensure timely remediation and compliance with security policies.