CVE-2024-49953: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice The km.state is not checked in driver's delayed work. When xfrm_state_check_expire() is called, the state can be reset to XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This happens when xfrm state is deleted, but not freed yet. As __xfrm_state_delete() is called again in xfrm timer, the following crash occurs. To fix this issue, skip xfrm_state_check_expire() if km.state is not XFRM_STATE_VALID. Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core] RIP: 0010:__xfrm_state_delete+0x3d/0x1b0 Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48 RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246 RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036 RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980 RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246 R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400 FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? die_addr+0x33/0x90 ? exc_general_protection+0x1a2/0x390 ? asm_exc_general_protection+0x22/0x30 ? __xfrm_state_delete+0x3d/0x1b0 ? __xfrm_state_delete+0x2f/0x1b0 xfrm_timer_handler+0x174/0x350 ? __xfrm_state_delete+0x1b0/0x1b0 __hrtimer_run_queues+0x121/0x270 hrtimer_run_softirq+0x88/0xd0 handle_softirqs+0xcc/0x270 do_softirq+0x3c/0x50 </IRQ> <TASK> __local_bh_enable_ip+0x47/0x50 mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core] process_one_work+0x137/0x2d0 worker_thread+0x28d/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>
AI Analysis
Technical Summary
CVE-2024-49953 is a vulnerability in the Linux kernel's mlx5e network driver, specifically related to the handling of IPsec (Internet Protocol Security) states within the kernel's transform (xfrm) framework. The issue arises because the driver's delayed work does not properly check the state of the xfrm_state object before attempting to delete it. In particular, the function __xfrm_state_delete() can be called twice on the same state object due to a race condition between the xfrm timer and the driver's delayed work queue. When xfrm_state_check_expire() is invoked, it may reset the state to XFRM_STATE_EXPIRED even if the state is already XFRM_STATE_DEAD but not yet freed. This leads to a second call to __xfrm_state_delete(), which causes a kernel crash due to a general protection fault triggered by accessing invalid memory (non-canonical address). The crash manifests as an oops in the kernel logs, indicating a serious fault that can cause denial of service (DoS) by crashing the affected system or network interface. The root cause is a missing validation check on the km.state variable before proceeding with state expiration checks. The fix involves skipping the expiration check if the state is not valid (i.e., not XFRM_STATE_VALID), preventing the double deletion and subsequent crash. This vulnerability affects Linux kernel versions around 6.11.0-rc2+ and impacts systems using the mlx5e driver, which is commonly associated with Mellanox (now NVIDIA) network cards that support advanced networking features including IPsec offload. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-49953 can be significant, particularly for enterprises and data centers relying on Linux servers with Mellanox network adapters for high-performance networking and IPsec-based secure communications. A successful exploitation leads to a kernel crash causing a denial of service, which can disrupt critical network services, VPN tunnels, and secure communications infrastructure. This can affect availability of services, potentially leading to operational downtime, loss of productivity, and impact on business continuity. Organizations using Linux-based firewalls, routers, or VPN gateways with vulnerable drivers are at risk of network outages. Although this vulnerability does not appear to allow privilege escalation or remote code execution directly, the induced kernel panic can be leveraged in targeted denial-of-service attacks, especially in environments with automated recovery or failover mechanisms that might be overwhelmed. Given the widespread use of Linux in European governmental, financial, and industrial sectors, the disruption of secure network channels could have cascading effects on sensitive data transmission and compliance with data protection regulations such as GDPR.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where the patch for CVE-2024-49953 has been applied. Since the vulnerability is in the mlx5e driver, organizations should identify systems using Mellanox/NVIDIA network cards and verify kernel versions. If immediate kernel upgrades are not feasible, consider temporarily disabling IPsec offload features on affected network interfaces to avoid triggering the vulnerable code path. Network administrators should monitor kernel logs for signs of crashes related to __xfrm_state_delete and implement alerting for such events. Additionally, deploying kernel live patching solutions can reduce downtime by applying fixes without full reboots. Organizations should also review their incident response plans to handle potential denial-of-service incidents caused by this vulnerability. Finally, vendors and cloud providers should be engaged to confirm patch availability and deployment timelines for managed services.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-49953: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice The km.state is not checked in driver's delayed work. When xfrm_state_check_expire() is called, the state can be reset to XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This happens when xfrm state is deleted, but not freed yet. As __xfrm_state_delete() is called again in xfrm timer, the following crash occurs. To fix this issue, skip xfrm_state_check_expire() if km.state is not XFRM_STATE_VALID. Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core] RIP: 0010:__xfrm_state_delete+0x3d/0x1b0 Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48 RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246 RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036 RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980 RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246 R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400 FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? die_addr+0x33/0x90 ? exc_general_protection+0x1a2/0x390 ? asm_exc_general_protection+0x22/0x30 ? __xfrm_state_delete+0x3d/0x1b0 ? __xfrm_state_delete+0x2f/0x1b0 xfrm_timer_handler+0x174/0x350 ? __xfrm_state_delete+0x1b0/0x1b0 __hrtimer_run_queues+0x121/0x270 hrtimer_run_softirq+0x88/0xd0 handle_softirqs+0xcc/0x270 do_softirq+0x3c/0x50 </IRQ> <TASK> __local_bh_enable_ip+0x47/0x50 mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core] process_one_work+0x137/0x2d0 worker_thread+0x28d/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-49953 is a vulnerability in the Linux kernel's mlx5e network driver, specifically related to the handling of IPsec (Internet Protocol Security) states within the kernel's transform (xfrm) framework. The issue arises because the driver's delayed work does not properly check the state of the xfrm_state object before attempting to delete it. In particular, the function __xfrm_state_delete() can be called twice on the same state object due to a race condition between the xfrm timer and the driver's delayed work queue. When xfrm_state_check_expire() is invoked, it may reset the state to XFRM_STATE_EXPIRED even if the state is already XFRM_STATE_DEAD but not yet freed. This leads to a second call to __xfrm_state_delete(), which causes a kernel crash due to a general protection fault triggered by accessing invalid memory (non-canonical address). The crash manifests as an oops in the kernel logs, indicating a serious fault that can cause denial of service (DoS) by crashing the affected system or network interface. The root cause is a missing validation check on the km.state variable before proceeding with state expiration checks. The fix involves skipping the expiration check if the state is not valid (i.e., not XFRM_STATE_VALID), preventing the double deletion and subsequent crash. This vulnerability affects Linux kernel versions around 6.11.0-rc2+ and impacts systems using the mlx5e driver, which is commonly associated with Mellanox (now NVIDIA) network cards that support advanced networking features including IPsec offload. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-49953 can be significant, particularly for enterprises and data centers relying on Linux servers with Mellanox network adapters for high-performance networking and IPsec-based secure communications. A successful exploitation leads to a kernel crash causing a denial of service, which can disrupt critical network services, VPN tunnels, and secure communications infrastructure. This can affect availability of services, potentially leading to operational downtime, loss of productivity, and impact on business continuity. Organizations using Linux-based firewalls, routers, or VPN gateways with vulnerable drivers are at risk of network outages. Although this vulnerability does not appear to allow privilege escalation or remote code execution directly, the induced kernel panic can be leveraged in targeted denial-of-service attacks, especially in environments with automated recovery or failover mechanisms that might be overwhelmed. Given the widespread use of Linux in European governmental, financial, and industrial sectors, the disruption of secure network channels could have cascading effects on sensitive data transmission and compliance with data protection regulations such as GDPR.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where the patch for CVE-2024-49953 has been applied. Since the vulnerability is in the mlx5e driver, organizations should identify systems using Mellanox/NVIDIA network cards and verify kernel versions. If immediate kernel upgrades are not feasible, consider temporarily disabling IPsec offload features on affected network interfaces to avoid triggering the vulnerable code path. Network administrators should monitor kernel logs for signs of crashes related to __xfrm_state_delete and implement alerting for such events. Additionally, deploying kernel live patching solutions can reduce downtime by applying fixes without full reboots. Organizations should also review their incident response plans to handle potential denial-of-service incidents caused by this vulnerability. Finally, vendors and cloud providers should be engaged to confirm patch availability and deployment timelines for managed services.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.047Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfb2e
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 3:27:37 PM
Last updated: 8/1/2025, 6:16:04 PM
Views: 11
Related Threats
CVE-2025-7973: CWE-268: Privilege Chaining in Rockwell Automation FactoryTalk® ViewPoint
HighCVE-2025-7773: CWE-863: Incorrect Authorization in Rockwell Automation 5032-CFGB16M12P5DR
HighCVE-2025-43984: n/a
CriticalCVE-2025-36581: CWE-788: Access of Memory Location After End of Buffer in Dell PowerEdge
LowCVE-2025-9036: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Rockwell Automation FactoryTalk® Action Manager
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.