CVE-2024-46828: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.
AI Analysis
Technical Summary
CVE-2024-46828 is a vulnerability identified in the Linux kernel's sch_cake (Controlled Delay Active Queue Management) queuing discipline, specifically in its bulk flow accounting logic related to host fairness mode. The sch_cake module manages network traffic shaping and fairness by tracking active bulk flows per host and using this count as a weight in round-robin scheduling of flows. The vulnerability arises from improper handling of the decrement operation on the count of active bulk flows when host fairness mode is disabled. When a hash collision occurs in the flow hash table, the state of the hash bucket is updated to the new packet's flow, and the bulk flow counters for the involved hosts are decremented before being incremented again if host fairness is enabled. However, the decrement operation was unconditional, even when host fairness was disabled, leading to a spurious decrement that can cause the counter to wrap around to its maximum unsigned 16-bit value (U16_MAX). This wrap-around can lead to an array out-of-bounds access when the queuing discipline is later reconfigured to enable host fairness mode, as the corrupted counter value is used as an array index. Exploiting this requires a sequence of conditions: first, configuring sch_cake with host fairness disabled, then triggering a hash collision to cause the counter wrap-around, and finally re-enabling host fairness to trigger the out-of-bounds access. This vulnerability was discovered and triggered by syzbot, an automated kernel fuzzer, highlighting its complexity. The patch fixes the issue by making the decrement conditional, mirroring the existing condition on increment, thus preventing the spurious decrement and subsequent wrap-around. The bug predates the upstreaming of sch_cake but was introduced in a commit that touched this code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the sch_cake queuing discipline configured, especially in environments where network traffic shaping and fairness are critical, such as ISPs, data centers, and cloud providers. The out-of-bounds array access could potentially lead to kernel memory corruption, causing system instability, crashes (denial of service), or potentially enabling privilege escalation or arbitrary code execution if exploited skillfully. This could disrupt critical network services, degrade performance, or compromise system integrity. Given that sch_cake is often used in routers, gateways, and network appliances, the impact could extend to network infrastructure devices, affecting availability and confidentiality of network traffic. European organizations with complex network environments or those relying on Linux-based network devices should be particularly vigilant. Although no active exploits are known, the complexity of the exploit path suggests a lower likelihood of widespread immediate attacks, but targeted attacks against high-value infrastructure cannot be ruled out.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-46828 as soon as they become available from trusted sources or Linux distributions. 2. Audit and review network device configurations to identify if sch_cake is used and whether host fairness mode is enabled or disabled. 3. Temporarily disable or avoid reconfiguring host fairness mode on sch_cake until patches are applied to prevent triggering the vulnerability. 4. Monitor kernel logs and system behavior for unusual crashes or instability that could indicate exploitation attempts. 5. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and use of seccomp filters to reduce the attack surface. 6. For critical network infrastructure, consider network segmentation and limiting administrative access to reduce the risk of exploitation. 7. Engage in proactive fuzz testing and vulnerability scanning of network devices running Linux kernels to detect similar issues early. 8. Coordinate with Linux distribution vendors and network appliance manufacturers for timely updates and advisories.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-46828: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.
AI-Powered Analysis
Technical Analysis
CVE-2024-46828 is a vulnerability identified in the Linux kernel's sch_cake (Controlled Delay Active Queue Management) queuing discipline, specifically in its bulk flow accounting logic related to host fairness mode. The sch_cake module manages network traffic shaping and fairness by tracking active bulk flows per host and using this count as a weight in round-robin scheduling of flows. The vulnerability arises from improper handling of the decrement operation on the count of active bulk flows when host fairness mode is disabled. When a hash collision occurs in the flow hash table, the state of the hash bucket is updated to the new packet's flow, and the bulk flow counters for the involved hosts are decremented before being incremented again if host fairness is enabled. However, the decrement operation was unconditional, even when host fairness was disabled, leading to a spurious decrement that can cause the counter to wrap around to its maximum unsigned 16-bit value (U16_MAX). This wrap-around can lead to an array out-of-bounds access when the queuing discipline is later reconfigured to enable host fairness mode, as the corrupted counter value is used as an array index. Exploiting this requires a sequence of conditions: first, configuring sch_cake with host fairness disabled, then triggering a hash collision to cause the counter wrap-around, and finally re-enabling host fairness to trigger the out-of-bounds access. This vulnerability was discovered and triggered by syzbot, an automated kernel fuzzer, highlighting its complexity. The patch fixes the issue by making the decrement conditional, mirroring the existing condition on increment, thus preventing the spurious decrement and subsequent wrap-around. The bug predates the upstreaming of sch_cake but was introduced in a commit that touched this code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the sch_cake queuing discipline configured, especially in environments where network traffic shaping and fairness are critical, such as ISPs, data centers, and cloud providers. The out-of-bounds array access could potentially lead to kernel memory corruption, causing system instability, crashes (denial of service), or potentially enabling privilege escalation or arbitrary code execution if exploited skillfully. This could disrupt critical network services, degrade performance, or compromise system integrity. Given that sch_cake is often used in routers, gateways, and network appliances, the impact could extend to network infrastructure devices, affecting availability and confidentiality of network traffic. European organizations with complex network environments or those relying on Linux-based network devices should be particularly vigilant. Although no active exploits are known, the complexity of the exploit path suggests a lower likelihood of widespread immediate attacks, but targeted attacks against high-value infrastructure cannot be ruled out.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-46828 as soon as they become available from trusted sources or Linux distributions. 2. Audit and review network device configurations to identify if sch_cake is used and whether host fairness mode is enabled or disabled. 3. Temporarily disable or avoid reconfiguring host fairness mode on sch_cake until patches are applied to prevent triggering the vulnerability. 4. Monitor kernel logs and system behavior for unusual crashes or instability that could indicate exploitation attempts. 5. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and use of seccomp filters to reduce the attack surface. 6. For critical network infrastructure, consider network segmentation and limiting administrative access to reduce the risk of exploitation. 7. Engage in proactive fuzz testing and vulnerability scanning of network devices running Linux kernels to detect similar issues early. 8. Coordinate with Linux distribution vendors and network appliance manufacturers for timely updates and advisories.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.286Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe026e
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 6:26:36 PM
Last updated: 7/27/2025, 2:17:39 AM
Views: 10
Related Threats
CVE-2025-8533: CWE-863 Incorrect Authorization in Flexibits Fantastical
MediumCVE-2025-35970: Use of weak credentials in SEIKO EPSON Multiple EPSON product
HighCVE-2025-29866: CWE-73: External Control of File Name or Path in TAGFREE X-Free Uploader
HighCVE-2025-32094: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Akamai AkamaiGhost
MediumCVE-2025-8583: Inappropriate implementation in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.