CVE-2024-46857: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix bridge mode operations when there are no VFs Currently, trying to set the bridge mode attribute when numvfs=0 leads to a crash: bridge link set dev eth2 hwmode vepa [ 168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030 [...] [ 168.969989] RIP: 0010:mlx5_add_flow_rules+0x1f/0x300 [mlx5_core] [...] [ 168.976037] Call Trace: [ 168.976188] <TASK> [ 168.978620] _mlx5_eswitch_set_vepa_locked+0x113/0x230 [mlx5_core] [ 168.979074] mlx5_eswitch_set_vepa+0x7f/0xa0 [mlx5_core] [ 168.979471] rtnl_bridge_setlink+0xe9/0x1f0 [ 168.979714] rtnetlink_rcv_msg+0x159/0x400 [ 168.980451] netlink_rcv_skb+0x54/0x100 [ 168.980675] netlink_unicast+0x241/0x360 [ 168.980918] netlink_sendmsg+0x1f6/0x430 [ 168.981162] ____sys_sendmsg+0x3bb/0x3f0 [ 168.982155] ___sys_sendmsg+0x88/0xd0 [ 168.985036] __sys_sendmsg+0x59/0xa0 [ 168.985477] do_syscall_64+0x79/0x150 [ 168.987273] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 168.987773] RIP: 0033:0x7f8f7950f917 (esw->fdb_table.legacy.vepa_fdb is null) The bridge mode is only relevant when there are multiple functions per port. Therefore, prevent setting and getting this setting when there are no VFs. Note that after this change, there are no settings to change on the PF interface using `bridge link` when there are no VFs, so the interface no longer appears in the `bridge link` output.
AI Analysis
Technical Summary
CVE-2024-46857 is a vulnerability identified in the Linux kernel specifically affecting the Mellanox mlx5_core driver, which is responsible for managing certain network interface cards (NICs) that support advanced features such as SR-IOV (Single Root I/O Virtualization). The flaw occurs when attempting to set the bridge mode attribute (specifically VEPA mode) on a physical function (PF) interface that has zero virtual functions (VFs) configured. Under these conditions, the kernel attempts to dereference a NULL pointer within the mlx5_add_flow_rules function, leading to a kernel crash (NULL pointer dereference). This crash is triggered by the command `bridge link set dev eth2 hwmode vepa` when no VFs are present, causing a BUG in the kernel and resulting in a denial of service (DoS) condition due to system instability or crash. The root cause is that the bridge mode setting is only meaningful when multiple functions per port exist (i.e., when VFs are configured), but the code did not properly prevent setting or getting this attribute when no VFs are present. The fix implemented prevents setting or retrieving the bridge mode attribute on PF interfaces without VFs, and as a result, such interfaces no longer appear in the `bridge link` output for this setting. This vulnerability is relevant for Linux kernel versions containing the affected mlx5_core driver code prior to the patch. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. However, the vulnerability can cause kernel crashes and service disruption on affected systems when triggered.
Potential Impact
For European organizations, the impact of CVE-2024-46857 primarily involves potential denial of service conditions on Linux servers or network appliances using Mellanox mlx5-based NICs with the vulnerable driver. Organizations relying on Linux-based infrastructure for critical networking, cloud services, or data center operations could experience unexpected kernel panics and system reboots if an attacker or misconfigured administrator attempts to set bridge mode attributes improperly. This could disrupt network connectivity, degrade service availability, and impact business continuity. While exploitation requires local access or administrative privileges to execute the specific bridge link command, accidental misconfiguration or malicious insider actions could trigger the crash. The vulnerability does not appear to allow privilege escalation or remote code execution directly but poses a risk to system stability and availability. Given the widespread use of Linux in European enterprise, cloud, and telecom environments, especially in data centers and virtualized network functions, the vulnerability could affect critical infrastructure components. However, the impact is limited to systems using the mlx5 driver with zero VFs configured and attempting to set bridge mode, which narrows the scope somewhat.
Mitigation Recommendations
To mitigate CVE-2024-46857, European organizations should: 1) Apply the latest Linux kernel patches that include the fix preventing bridge mode settings on PF interfaces without VFs. This is the definitive remediation. 2) Audit and restrict administrative access to network configuration commands such as `bridge link` to trusted personnel only, minimizing risk of accidental or malicious triggering. 3) Review network interface configurations on systems using Mellanox mlx5 NICs to ensure that bridge mode settings are only applied when VFs are configured. 4) Implement monitoring and alerting for kernel crashes or unexpected reboots on affected systems to detect potential exploitation or misconfiguration quickly. 5) For environments where patching is delayed, consider temporary operational controls such as disabling the use of bridge mode settings on PF interfaces without VFs or isolating vulnerable hosts from critical network segments. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and guidance. These steps go beyond generic advice by focusing on configuration validation, access control, and operational monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-46857: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix bridge mode operations when there are no VFs Currently, trying to set the bridge mode attribute when numvfs=0 leads to a crash: bridge link set dev eth2 hwmode vepa [ 168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030 [...] [ 168.969989] RIP: 0010:mlx5_add_flow_rules+0x1f/0x300 [mlx5_core] [...] [ 168.976037] Call Trace: [ 168.976188] <TASK> [ 168.978620] _mlx5_eswitch_set_vepa_locked+0x113/0x230 [mlx5_core] [ 168.979074] mlx5_eswitch_set_vepa+0x7f/0xa0 [mlx5_core] [ 168.979471] rtnl_bridge_setlink+0xe9/0x1f0 [ 168.979714] rtnetlink_rcv_msg+0x159/0x400 [ 168.980451] netlink_rcv_skb+0x54/0x100 [ 168.980675] netlink_unicast+0x241/0x360 [ 168.980918] netlink_sendmsg+0x1f6/0x430 [ 168.981162] ____sys_sendmsg+0x3bb/0x3f0 [ 168.982155] ___sys_sendmsg+0x88/0xd0 [ 168.985036] __sys_sendmsg+0x59/0xa0 [ 168.985477] do_syscall_64+0x79/0x150 [ 168.987273] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 168.987773] RIP: 0033:0x7f8f7950f917 (esw->fdb_table.legacy.vepa_fdb is null) The bridge mode is only relevant when there are multiple functions per port. Therefore, prevent setting and getting this setting when there are no VFs. Note that after this change, there are no settings to change on the PF interface using `bridge link` when there are no VFs, so the interface no longer appears in the `bridge link` output.
AI-Powered Analysis
Technical Analysis
CVE-2024-46857 is a vulnerability identified in the Linux kernel specifically affecting the Mellanox mlx5_core driver, which is responsible for managing certain network interface cards (NICs) that support advanced features such as SR-IOV (Single Root I/O Virtualization). The flaw occurs when attempting to set the bridge mode attribute (specifically VEPA mode) on a physical function (PF) interface that has zero virtual functions (VFs) configured. Under these conditions, the kernel attempts to dereference a NULL pointer within the mlx5_add_flow_rules function, leading to a kernel crash (NULL pointer dereference). This crash is triggered by the command `bridge link set dev eth2 hwmode vepa` when no VFs are present, causing a BUG in the kernel and resulting in a denial of service (DoS) condition due to system instability or crash. The root cause is that the bridge mode setting is only meaningful when multiple functions per port exist (i.e., when VFs are configured), but the code did not properly prevent setting or getting this attribute when no VFs are present. The fix implemented prevents setting or retrieving the bridge mode attribute on PF interfaces without VFs, and as a result, such interfaces no longer appear in the `bridge link` output for this setting. This vulnerability is relevant for Linux kernel versions containing the affected mlx5_core driver code prior to the patch. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. However, the vulnerability can cause kernel crashes and service disruption on affected systems when triggered.
Potential Impact
For European organizations, the impact of CVE-2024-46857 primarily involves potential denial of service conditions on Linux servers or network appliances using Mellanox mlx5-based NICs with the vulnerable driver. Organizations relying on Linux-based infrastructure for critical networking, cloud services, or data center operations could experience unexpected kernel panics and system reboots if an attacker or misconfigured administrator attempts to set bridge mode attributes improperly. This could disrupt network connectivity, degrade service availability, and impact business continuity. While exploitation requires local access or administrative privileges to execute the specific bridge link command, accidental misconfiguration or malicious insider actions could trigger the crash. The vulnerability does not appear to allow privilege escalation or remote code execution directly but poses a risk to system stability and availability. Given the widespread use of Linux in European enterprise, cloud, and telecom environments, especially in data centers and virtualized network functions, the vulnerability could affect critical infrastructure components. However, the impact is limited to systems using the mlx5 driver with zero VFs configured and attempting to set bridge mode, which narrows the scope somewhat.
Mitigation Recommendations
To mitigate CVE-2024-46857, European organizations should: 1) Apply the latest Linux kernel patches that include the fix preventing bridge mode settings on PF interfaces without VFs. This is the definitive remediation. 2) Audit and restrict administrative access to network configuration commands such as `bridge link` to trusted personnel only, minimizing risk of accidental or malicious triggering. 3) Review network interface configurations on systems using Mellanox mlx5 NICs to ensure that bridge mode settings are only applied when VFs are configured. 4) Implement monitoring and alerting for kernel crashes or unexpected reboots on affected systems to detect potential exploitation or misconfiguration quickly. 5) For environments where patching is delayed, consider temporary operational controls such as disabling the use of bridge mode settings on PF interfaces without VFs or isolating vulnerable hosts from critical network segments. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and guidance. These steps go beyond generic advice by focusing on configuration validation, access control, and operational monitoring specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.291Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0364
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 6:55:05 PM
Last updated: 8/8/2025, 7:37:10 AM
Views: 14
Related Threats
CVE-2025-6572: CWE-79 Cross-Site Scripting (XSS) in OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)
HighCVE-2025-54959: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Mubit co.,ltd. Powered BLUE 870
MediumCVE-2025-54958: Improper neutralization of special elements used in an OS command ('OS Command Injection') in Mubit co.,ltd. Powered BLUE 870
MediumCVE-2025-54940: Code injection in WPEngine, Inc. Advanced Custom Fields
LowCVE-2025-8708: Deserialization in Antabot White-Jotter
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.