CVE-2024-43880: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can contain more ACLs (i.e., tc filters), but the number of masks in each region (i.e., tc chain) is limited. In order to mitigate the effects of the above limitation, the device allows filters to share a single mask if their masks only differ in up to 8 consecutive bits. For example, dst_ip/25 can be represented using dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the number of masks being used (and therefore does not support mask aggregation), but can contain a limited number of filters. The driver uses the "objagg" library to perform the mask aggregation by passing it objects that consist of the filter's mask and whether the filter is to be inserted into the A-TCAM or the C-TCAM since filters in different TCAMs cannot share a mask. The set of created objects is dependent on the insertion order of the filters and is not necessarily optimal. Therefore, the driver will periodically ask the library to compute a more optimal set ("hints") by looking at all the existing objects. When the library asks the driver whether two objects can be aggregated the driver only compares the provided masks and ignores the A-TCAM / C-TCAM indication. This is the right thing to do since the goal is to move as many filters as possible to the A-TCAM. The driver also forbids two identical masks from being aggregated since this can only happen if one was intentionally put in the C-TCAM to avoid a conflict in the A-TCAM. The above can result in the following set of hints: H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta After getting the hints from the library the driver will start migrating filters from one region to another while consulting the computed hints and instructing the device to perform a lookup in both regions during the transition. Assuming a filter with mask X is being migrated into the A-TCAM in the new region, the hints lookup will return H1. Since H2 is the parent of H1, the library will try to find the object associated with it and create it if necessary in which case another hints lookup (recursive) will be performed. This hints lookup for {mask Y, A-TCAM} will either return H2 or H3 since the driver passes the library an object comparison function that ignores the A-TCAM / C-TCAM indication. This can eventually lead to nested objects which are not supported by the library [1]. Fix by removing the object comparison function from both the driver and the library as the driver was the only user. That way the lookup will only return exact matches. I do not have a reliable reproducer that can reproduce the issue in a timely manner, but before the fix the issue would reproduce in several minutes and with the fix it does not reproduce in over an hour. Note that the current usefulness of the hints is limited because they include the C-TCAM indication and represent aggregation that cannot actually happen. This will be addressed in net-next. [1] WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 Modules linked in: CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42 Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Call Trace: <TASK> __objagg_obj_get+0x2bb/0x580 objagg_obj_get+0xe/0x80 mlxsw_sp_acl_erp_mask_get+0xb5/0xf0 mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370
AI Analysis
Technical Summary
CVE-2024-43880 is a vulnerability identified in the Linux kernel specifically related to the mlxsw driver that manages ACL (Access Control List) filters on Mellanox Spectrum-2 and newer ASICs. These ASICs use two types of TCAM (Ternary Content Addressable Memory) regions to store ACL filters: algorithmic TCAM (A-TCAM) and circuit TCAM (C-TCAM). The A-TCAM supports mask aggregation allowing multiple filters with similar masks to share a single mask, optimizing resource usage, whereas the C-TCAM does not support mask aggregation but can hold a limited number of filters. The mlxsw driver uses the "objagg" library to aggregate masks and optimize filter placement between these TCAM regions. The vulnerability arises from the driver's object comparison function passed to the objagg library, which ignores the distinction between A-TCAM and C-TCAM when determining if two filter masks can be aggregated. This leads to the creation of nested objects within the objagg library, a condition it does not support, causing kernel warnings and potential instability. The issue manifests during the periodic optimization process where filters are migrated between TCAM regions based on computed "hints". Recursive lookups triggered by the flawed comparison logic can lead to nested objects, resulting in kernel warnings and potentially impacting system stability. The fix involved removing the custom object comparison function from both the driver and the objagg library, ensuring that only exact matches are considered during aggregation, thereby preventing unsupported nested objects. Although a reliable reproducer is not available, the issue was observed to occur within minutes prior to the fix and has not been reproduced for over an hour post-fix. The vulnerability does not currently have a CVSS score and no known exploits are reported in the wild. The problem is specific to Linux kernel versions containing the affected mlxsw driver code and Mellanox Spectrum-2 or newer hardware. This vulnerability is primarily a stability and reliability issue within the kernel's ACL filter management subsystem rather than a direct security breach vector such as privilege escalation or remote code execution. However, kernel instability can lead to denial of service conditions or unexpected behavior in network filtering, which could indirectly impact security postures.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or network equipment utilizing Linux servers with Mellanox Spectrum-2 or newer ASICs, this vulnerability could lead to kernel instability or crashes. Such instability can cause temporary denial of service, impacting availability of critical network services or applications. Organizations relying on Linux-based network appliances or servers for firewalling, traffic filtering, or network segmentation might experience disruptions in their security controls, potentially exposing them to increased risk during the downtime. While the vulnerability does not directly enable unauthorized access or data compromise, the resulting instability could degrade the integrity and availability of network filtering mechanisms. This is particularly relevant for sectors with stringent uptime and security requirements such as finance, telecommunications, healthcare, and critical infrastructure within Europe. The lack of known exploits reduces immediate risk, but the potential for denial of service and operational impact remains significant for affected environments.
Mitigation Recommendations
European organizations using Linux kernels with Mellanox Spectrum-2 or newer ASICs should prioritize updating to the patched kernel versions that remove the flawed object comparison function in the mlxsw driver and objagg library. Since the issue relates to kernel-level driver code, kernel upgrades or backported patches from trusted Linux distributors (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. Network administrators should audit their infrastructure to identify devices running affected kernel versions and Mellanox hardware. Monitoring kernel logs for objagg-related warnings or unusual ACL filter migration messages can help detect attempts to trigger the issue. Given the complexity of reproducing the issue, organizations should also implement robust kernel crash and system monitoring to quickly respond to any instability. Where possible, testing kernel updates in staging environments before production deployment is recommended to ensure stability. Additionally, organizations should maintain strict configuration management and change control for network ACLs to avoid frequent or large-scale filter changes that might increase the likelihood of triggering the vulnerability. Collaborating with hardware vendors and Linux distribution maintainers for timely updates and advisories is also advised.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-43880: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can contain more ACLs (i.e., tc filters), but the number of masks in each region (i.e., tc chain) is limited. In order to mitigate the effects of the above limitation, the device allows filters to share a single mask if their masks only differ in up to 8 consecutive bits. For example, dst_ip/25 can be represented using dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the number of masks being used (and therefore does not support mask aggregation), but can contain a limited number of filters. The driver uses the "objagg" library to perform the mask aggregation by passing it objects that consist of the filter's mask and whether the filter is to be inserted into the A-TCAM or the C-TCAM since filters in different TCAMs cannot share a mask. The set of created objects is dependent on the insertion order of the filters and is not necessarily optimal. Therefore, the driver will periodically ask the library to compute a more optimal set ("hints") by looking at all the existing objects. When the library asks the driver whether two objects can be aggregated the driver only compares the provided masks and ignores the A-TCAM / C-TCAM indication. This is the right thing to do since the goal is to move as many filters as possible to the A-TCAM. The driver also forbids two identical masks from being aggregated since this can only happen if one was intentionally put in the C-TCAM to avoid a conflict in the A-TCAM. The above can result in the following set of hints: H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta After getting the hints from the library the driver will start migrating filters from one region to another while consulting the computed hints and instructing the device to perform a lookup in both regions during the transition. Assuming a filter with mask X is being migrated into the A-TCAM in the new region, the hints lookup will return H1. Since H2 is the parent of H1, the library will try to find the object associated with it and create it if necessary in which case another hints lookup (recursive) will be performed. This hints lookup for {mask Y, A-TCAM} will either return H2 or H3 since the driver passes the library an object comparison function that ignores the A-TCAM / C-TCAM indication. This can eventually lead to nested objects which are not supported by the library [1]. Fix by removing the object comparison function from both the driver and the library as the driver was the only user. That way the lookup will only return exact matches. I do not have a reliable reproducer that can reproduce the issue in a timely manner, but before the fix the issue would reproduce in several minutes and with the fix it does not reproduce in over an hour. Note that the current usefulness of the hints is limited because they include the C-TCAM indication and represent aggregation that cannot actually happen. This will be addressed in net-next. [1] WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 Modules linked in: CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42 Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Call Trace: <TASK> __objagg_obj_get+0x2bb/0x580 objagg_obj_get+0xe/0x80 mlxsw_sp_acl_erp_mask_get+0xb5/0xf0 mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370
AI-Powered Analysis
Technical Analysis
CVE-2024-43880 is a vulnerability identified in the Linux kernel specifically related to the mlxsw driver that manages ACL (Access Control List) filters on Mellanox Spectrum-2 and newer ASICs. These ASICs use two types of TCAM (Ternary Content Addressable Memory) regions to store ACL filters: algorithmic TCAM (A-TCAM) and circuit TCAM (C-TCAM). The A-TCAM supports mask aggregation allowing multiple filters with similar masks to share a single mask, optimizing resource usage, whereas the C-TCAM does not support mask aggregation but can hold a limited number of filters. The mlxsw driver uses the "objagg" library to aggregate masks and optimize filter placement between these TCAM regions. The vulnerability arises from the driver's object comparison function passed to the objagg library, which ignores the distinction between A-TCAM and C-TCAM when determining if two filter masks can be aggregated. This leads to the creation of nested objects within the objagg library, a condition it does not support, causing kernel warnings and potential instability. The issue manifests during the periodic optimization process where filters are migrated between TCAM regions based on computed "hints". Recursive lookups triggered by the flawed comparison logic can lead to nested objects, resulting in kernel warnings and potentially impacting system stability. The fix involved removing the custom object comparison function from both the driver and the objagg library, ensuring that only exact matches are considered during aggregation, thereby preventing unsupported nested objects. Although a reliable reproducer is not available, the issue was observed to occur within minutes prior to the fix and has not been reproduced for over an hour post-fix. The vulnerability does not currently have a CVSS score and no known exploits are reported in the wild. The problem is specific to Linux kernel versions containing the affected mlxsw driver code and Mellanox Spectrum-2 or newer hardware. This vulnerability is primarily a stability and reliability issue within the kernel's ACL filter management subsystem rather than a direct security breach vector such as privilege escalation or remote code execution. However, kernel instability can lead to denial of service conditions or unexpected behavior in network filtering, which could indirectly impact security postures.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or network equipment utilizing Linux servers with Mellanox Spectrum-2 or newer ASICs, this vulnerability could lead to kernel instability or crashes. Such instability can cause temporary denial of service, impacting availability of critical network services or applications. Organizations relying on Linux-based network appliances or servers for firewalling, traffic filtering, or network segmentation might experience disruptions in their security controls, potentially exposing them to increased risk during the downtime. While the vulnerability does not directly enable unauthorized access or data compromise, the resulting instability could degrade the integrity and availability of network filtering mechanisms. This is particularly relevant for sectors with stringent uptime and security requirements such as finance, telecommunications, healthcare, and critical infrastructure within Europe. The lack of known exploits reduces immediate risk, but the potential for denial of service and operational impact remains significant for affected environments.
Mitigation Recommendations
European organizations using Linux kernels with Mellanox Spectrum-2 or newer ASICs should prioritize updating to the patched kernel versions that remove the flawed object comparison function in the mlxsw driver and objagg library. Since the issue relates to kernel-level driver code, kernel upgrades or backported patches from trusted Linux distributors (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. Network administrators should audit their infrastructure to identify devices running affected kernel versions and Mellanox hardware. Monitoring kernel logs for objagg-related warnings or unusual ACL filter migration messages can help detect attempts to trigger the issue. Given the complexity of reproducing the issue, organizations should also implement robust kernel crash and system monitoring to quickly respond to any instability. Where possible, testing kernel updates in staging environments before production deployment is recommended to ensure stability. Additionally, organizations should maintain strict configuration management and change control for network ACLs to avoid frequent or large-scale filter changes that might increase the likelihood of triggering the vulnerability. Collaborating with hardware vendors and Linux distribution maintainers for timely updates and advisories is also advised.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.287Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0b7a
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:24:56 PM
Last updated: 8/9/2025, 6:44:03 PM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.