CVE-2024-44933: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl() A recent commit has modified the code in __bnxt_reserve_rings() to set the default RSS indirection table to default only when the number of RX rings is changing. While this works for newer firmware that requires RX ring reservations, it causes the regression on older firmware not requiring RX ring resrvations (BNXT_NEW_RM() returns false). With older firmware, RX ring reservations are not required and so hw_resc->resv_rx_rings is not always set to the proper value. The comparison: if (old_rx_rings != bp->hw_resc.resv_rx_rings) in __bnxt_reserve_rings() may be false even when the RX rings are changing. This will cause __bnxt_reserve_rings() to skip setting the default RSS indirection table to default to match the current number of RX rings. This may later cause bnxt_fill_hw_rss_tbl() to use an out-of-range index. We already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this scenario. We just need to move it up in bnxt_need_reserve_rings() to be called unconditionally when using older firmware. Without the fix, if the TX rings are changing, we'll skip the bnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also skip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained in the last paragraph. Without setting the default RSS indirection table to default, it causes the regression: BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 Read of size 2 at addr ffff8881c5809618 by task ethtool/31525 Call Trace: __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0xb30 ethnl_default_set_doit+0x2f1/0x620
AI Analysis
Technical Summary
CVE-2024-44933 is a vulnerability in the Linux kernel's Broadcom NetXtreme (bnxt) network driver, specifically related to the handling of Receive Side Scaling (RSS) indirection tables in the bnxt_fill_hw_rss_tbl() function. The root cause stems from a regression introduced by a recent code change in the __bnxt_reserve_rings() function. This change modified the logic to update the default RSS indirection table only when the number of RX rings changes. However, this logic fails on older firmware versions that do not require RX ring reservations (where BNXT_NEW_RM() returns false). In such cases, the reserved RX rings value (hw_resc->resv_rx_rings) may not be set correctly, causing the conditional check (old_rx_rings != bp->hw_resc.resv_rx_rings) to incorrectly evaluate to false even when RX rings have changed. Consequently, the default RSS indirection table is not updated to match the current RX ring count. This leads to bnxt_fill_hw_rss_tbl() using an out-of-range index, resulting in a memory out-of-bounds read. The vulnerability manifests as a kernel slab-out-of-bounds error detected by KASAN (Kernel Address Sanitizer), which can cause system instability or crashes when network interface configurations are changed (e.g., via ethtool). The fix involves ensuring that bnxt_check_rss_tbl_no_rmgr() is called unconditionally for older firmware to properly validate and set the RSS table, preventing the out-of-bounds access. This vulnerability affects specific Linux kernel versions identified by the affected commit hashes and is relevant for systems using Broadcom NetXtreme network cards with older firmware that do not require RX ring reservations. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with affected bnxt drivers and older Broadcom firmware. The impact includes potential kernel crashes or denial of service due to out-of-bounds memory access when network interface parameters are changed or during normal operation involving RSS configuration. This can disrupt critical network services, affecting availability and potentially leading to downtime in data centers, cloud environments, and enterprise networks. Confidentiality and integrity impacts are less direct but could arise if attackers leverage the instability to cause broader system compromise or escalate privileges via kernel memory corruption. Given the widespread use of Linux in European enterprise and cloud infrastructures, especially in telecommunications, financial services, and government sectors, the vulnerability could affect critical operations if exploited or triggered inadvertently. The lack of known exploits reduces immediate risk, but the presence of a kernel memory corruption bug warrants prompt attention to avoid potential exploitation or operational disruptions.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-44933 as soon as they become available from their Linux distribution vendors. In the interim, system administrators should audit their environments to identify systems using Broadcom NetXtreme network cards with older firmware versions that do not require RX ring reservations. Where feasible, firmware should be updated to versions compatible with the fixed driver logic. Network administrators should avoid changing RSS or RX ring configurations on affected systems until patched. Monitoring kernel logs for KASAN slab-out-of-bounds errors related to bnxt can help detect attempts to trigger the vulnerability. Additionally, organizations should implement strict change management and limit administrative access to network configuration tools like ethtool to reduce the risk of accidental or malicious triggering. Employing kernel live patching solutions where supported can help deploy fixes without downtime. Finally, maintaining up-to-date backups and robust incident response plans will mitigate operational impacts if exploitation or crashes occur.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-44933: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl() A recent commit has modified the code in __bnxt_reserve_rings() to set the default RSS indirection table to default only when the number of RX rings is changing. While this works for newer firmware that requires RX ring reservations, it causes the regression on older firmware not requiring RX ring resrvations (BNXT_NEW_RM() returns false). With older firmware, RX ring reservations are not required and so hw_resc->resv_rx_rings is not always set to the proper value. The comparison: if (old_rx_rings != bp->hw_resc.resv_rx_rings) in __bnxt_reserve_rings() may be false even when the RX rings are changing. This will cause __bnxt_reserve_rings() to skip setting the default RSS indirection table to default to match the current number of RX rings. This may later cause bnxt_fill_hw_rss_tbl() to use an out-of-range index. We already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this scenario. We just need to move it up in bnxt_need_reserve_rings() to be called unconditionally when using older firmware. Without the fix, if the TX rings are changing, we'll skip the bnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also skip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained in the last paragraph. Without setting the default RSS indirection table to default, it causes the regression: BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 Read of size 2 at addr ffff8881c5809618 by task ethtool/31525 Call Trace: __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0xb30 ethnl_default_set_doit+0x2f1/0x620
AI-Powered Analysis
Technical Analysis
CVE-2024-44933 is a vulnerability in the Linux kernel's Broadcom NetXtreme (bnxt) network driver, specifically related to the handling of Receive Side Scaling (RSS) indirection tables in the bnxt_fill_hw_rss_tbl() function. The root cause stems from a regression introduced by a recent code change in the __bnxt_reserve_rings() function. This change modified the logic to update the default RSS indirection table only when the number of RX rings changes. However, this logic fails on older firmware versions that do not require RX ring reservations (where BNXT_NEW_RM() returns false). In such cases, the reserved RX rings value (hw_resc->resv_rx_rings) may not be set correctly, causing the conditional check (old_rx_rings != bp->hw_resc.resv_rx_rings) to incorrectly evaluate to false even when RX rings have changed. Consequently, the default RSS indirection table is not updated to match the current RX ring count. This leads to bnxt_fill_hw_rss_tbl() using an out-of-range index, resulting in a memory out-of-bounds read. The vulnerability manifests as a kernel slab-out-of-bounds error detected by KASAN (Kernel Address Sanitizer), which can cause system instability or crashes when network interface configurations are changed (e.g., via ethtool). The fix involves ensuring that bnxt_check_rss_tbl_no_rmgr() is called unconditionally for older firmware to properly validate and set the RSS table, preventing the out-of-bounds access. This vulnerability affects specific Linux kernel versions identified by the affected commit hashes and is relevant for systems using Broadcom NetXtreme network cards with older firmware that do not require RX ring reservations. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with affected bnxt drivers and older Broadcom firmware. The impact includes potential kernel crashes or denial of service due to out-of-bounds memory access when network interface parameters are changed or during normal operation involving RSS configuration. This can disrupt critical network services, affecting availability and potentially leading to downtime in data centers, cloud environments, and enterprise networks. Confidentiality and integrity impacts are less direct but could arise if attackers leverage the instability to cause broader system compromise or escalate privileges via kernel memory corruption. Given the widespread use of Linux in European enterprise and cloud infrastructures, especially in telecommunications, financial services, and government sectors, the vulnerability could affect critical operations if exploited or triggered inadvertently. The lack of known exploits reduces immediate risk, but the presence of a kernel memory corruption bug warrants prompt attention to avoid potential exploitation or operational disruptions.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-44933 as soon as they become available from their Linux distribution vendors. In the interim, system administrators should audit their environments to identify systems using Broadcom NetXtreme network cards with older firmware versions that do not require RX ring reservations. Where feasible, firmware should be updated to versions compatible with the fixed driver logic. Network administrators should avoid changing RSS or RX ring configurations on affected systems until patched. Monitoring kernel logs for KASAN slab-out-of-bounds errors related to bnxt can help detect attempts to trigger the vulnerability. Additionally, organizations should implement strict change management and limit administrative access to network configuration tools like ethtool to reduce the risk of accidental or malicious triggering. Employing kernel live patching solutions where supported can help deploy fixes without downtime. Finally, maintaining up-to-date backups and robust incident response plans will mitigate operational impacts if exploitation or crashes occur.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.664Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0c87
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:41:58 PM
Last updated: 8/14/2025, 1:47:04 PM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.