CVE-2024-50039: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: accept TCA_STAB only for root qdisc Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers. Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1] We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage. [1] [ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 88.798611] #PF: supervisor read access in kernel mode [ 88.799014] #PF: error_code(0x0000) - not-present page [ 88.799506] PGD 0 P4D 0 [ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI [ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117 [ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00 All code ======== 0: 0f b7 50 12 movzwl 0x12(%rax),%edx 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax b: 00 c: 48 89 d6 mov %rdx,%rsi f: 48 29 d0 sub %rdx,%rax 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx 19: 48 c1 e0 03 shl $0x3,%rax 1d: 48 01 c2 add %rax,%rdx 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) 25: 7e c0 jle 0xffffffffffffffe7 27: 48 8b 3a mov (%rdx),%rdi 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction 2d: 4c 89 02 mov %r8,(%rdx) 30: 49 89 50 08 mov %rdx,0x8(%r8) 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 3b: 00 3c: 48 rex.W 3d: c7 .byte 0xc7 3e: 07 (bad) ... Code starting with the faulting instruction =========================================== 0: 4c 8b 07 mov (%rdi),%r8 3: 4c 89 02 mov %r8,(%rdx) 6: 49 89 50 08 mov %rdx,0x8(%r8) a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 11: 00 12: 48 rex.W 13: c7 .byte 0xc7 14: 07 (bad) ... [ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206 [ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800 [ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000 [ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f [ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140 [ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac [ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000 [ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0 [ 88.808165] Call Trace: [ 88.808459] <TASK> [ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715) [ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) [ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) [ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq [ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g ---truncated---
AI Analysis
Technical Summary
CVE-2024-50039 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically related to the handling of the TCA_STAB attribute in queuing disciplines (qdiscs). Qdiscs are kernel components responsible for managing packet scheduling and traffic shaping on network interfaces. The vulnerability arises because most qdiscs maintain their backlog using the function qdisc_pkt_len(skb) under the assumption that this value remains invariant between enqueue() and dequeue() operations. However, when a combination of Token Bucket Filter (TBF) and Stochastic Fairness Queueing (SFQ) qdiscs is used, with an STAB attribute applied on SFQ, it can lead to a NULL pointer dereference and consequent kernel crash. This is due to the kernel incorrectly accepting TCA_STAB at arbitrary levels without maintaining per-qdisc storage, which is required for safe operation. The vulnerability was discovered through syzbot fuzzing, which demonstrated that this combination could easily crash a host. The kernel oops log shows a NULL pointer dereference in the sfq_dequeue function, causing a supervisor read access fault and kernel panic. The root cause is the mishandling of the STAB attribute leading to invalid memory access during dequeue operations. The flaw affects Linux kernel versions prior to the patch that restricts TCA_STAB acceptance to root qdisc only. There are no known exploits in the wild yet, and no CVSS score has been assigned. This vulnerability is a denial-of-service (DoS) type, as it can cause a system crash and loss of availability. Exploitation requires privileged access to configure qdiscs with the specific TCA_STAB attribute, so it is not remotely exploitable without local root privileges or equivalent capabilities.
Potential Impact
For European organizations, the impact of CVE-2024-50039 primarily concerns systems running Linux kernels vulnerable to this flaw, especially those using advanced traffic shaping and network scheduling configurations involving TBF and SFQ qdiscs. The vulnerability can lead to kernel crashes and system downtime, resulting in denial of service. This can disrupt critical network infrastructure, servers, and cloud environments that rely on Linux for routing, firewalling, or traffic management. Organizations in sectors such as telecommunications, finance, government, and cloud service providers are particularly at risk due to their reliance on stable and secure Linux-based networking. The requirement for root privileges to exploit limits the risk from external attackers but raises concerns about insider threats or compromised administrative accounts. Additionally, automated fuzzing tools like syzbot have demonstrated the ease of triggering the crash, indicating that misconfigurations or malicious insiders could cause outages. The downtime could lead to operational disruption, loss of availability of services, and potential cascading effects on dependent systems. Given the widespread use of Linux in European IT infrastructure, the vulnerability poses a tangible risk to network reliability and service continuity.
Mitigation Recommendations
To mitigate CVE-2024-50039, European organizations should: 1) Apply the latest Linux kernel patches that restrict acceptance of TCA_STAB to root qdisc only, thereby preventing unsafe configurations. 2) Audit and restrict administrative access to network configuration tools and interfaces to prevent unauthorized or accidental application of vulnerable qdisc settings. 3) Implement strict change management and monitoring for network scheduling configurations, especially those involving TBF and SFQ qdiscs. 4) Use kernel hardening and security modules (e.g., SELinux, AppArmor) to limit the capabilities of processes that can modify qdisc settings. 5) Employ system integrity monitoring to detect kernel crashes or oops events indicative of exploitation attempts. 6) For critical systems, consider isolating network scheduling configurations or using alternative traffic shaping mechanisms until patches are applied. 7) Engage in proactive fuzz testing and vulnerability scanning to identify similar misconfigurations or kernel issues. These steps go beyond generic advice by focusing on configuration management, access control, and monitoring specific to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-50039: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: accept TCA_STAB only for root qdisc Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers. Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1] We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage. [1] [ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 88.798611] #PF: supervisor read access in kernel mode [ 88.799014] #PF: error_code(0x0000) - not-present page [ 88.799506] PGD 0 P4D 0 [ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI [ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117 [ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00 All code ======== 0: 0f b7 50 12 movzwl 0x12(%rax),%edx 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax b: 00 c: 48 89 d6 mov %rdx,%rsi f: 48 29 d0 sub %rdx,%rax 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx 19: 48 c1 e0 03 shl $0x3,%rax 1d: 48 01 c2 add %rax,%rdx 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) 25: 7e c0 jle 0xffffffffffffffe7 27: 48 8b 3a mov (%rdx),%rdi 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction 2d: 4c 89 02 mov %r8,(%rdx) 30: 49 89 50 08 mov %rdx,0x8(%r8) 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 3b: 00 3c: 48 rex.W 3d: c7 .byte 0xc7 3e: 07 (bad) ... Code starting with the faulting instruction =========================================== 0: 4c 8b 07 mov (%rdi),%r8 3: 4c 89 02 mov %r8,(%rdx) 6: 49 89 50 08 mov %rdx,0x8(%r8) a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 11: 00 12: 48 rex.W 13: c7 .byte 0xc7 14: 07 (bad) ... [ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206 [ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800 [ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000 [ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f [ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140 [ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac [ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000 [ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0 [ 88.808165] Call Trace: [ 88.808459] <TASK> [ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715) [ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) [ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) [ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq [ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50039 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically related to the handling of the TCA_STAB attribute in queuing disciplines (qdiscs). Qdiscs are kernel components responsible for managing packet scheduling and traffic shaping on network interfaces. The vulnerability arises because most qdiscs maintain their backlog using the function qdisc_pkt_len(skb) under the assumption that this value remains invariant between enqueue() and dequeue() operations. However, when a combination of Token Bucket Filter (TBF) and Stochastic Fairness Queueing (SFQ) qdiscs is used, with an STAB attribute applied on SFQ, it can lead to a NULL pointer dereference and consequent kernel crash. This is due to the kernel incorrectly accepting TCA_STAB at arbitrary levels without maintaining per-qdisc storage, which is required for safe operation. The vulnerability was discovered through syzbot fuzzing, which demonstrated that this combination could easily crash a host. The kernel oops log shows a NULL pointer dereference in the sfq_dequeue function, causing a supervisor read access fault and kernel panic. The root cause is the mishandling of the STAB attribute leading to invalid memory access during dequeue operations. The flaw affects Linux kernel versions prior to the patch that restricts TCA_STAB acceptance to root qdisc only. There are no known exploits in the wild yet, and no CVSS score has been assigned. This vulnerability is a denial-of-service (DoS) type, as it can cause a system crash and loss of availability. Exploitation requires privileged access to configure qdiscs with the specific TCA_STAB attribute, so it is not remotely exploitable without local root privileges or equivalent capabilities.
Potential Impact
For European organizations, the impact of CVE-2024-50039 primarily concerns systems running Linux kernels vulnerable to this flaw, especially those using advanced traffic shaping and network scheduling configurations involving TBF and SFQ qdiscs. The vulnerability can lead to kernel crashes and system downtime, resulting in denial of service. This can disrupt critical network infrastructure, servers, and cloud environments that rely on Linux for routing, firewalling, or traffic management. Organizations in sectors such as telecommunications, finance, government, and cloud service providers are particularly at risk due to their reliance on stable and secure Linux-based networking. The requirement for root privileges to exploit limits the risk from external attackers but raises concerns about insider threats or compromised administrative accounts. Additionally, automated fuzzing tools like syzbot have demonstrated the ease of triggering the crash, indicating that misconfigurations or malicious insiders could cause outages. The downtime could lead to operational disruption, loss of availability of services, and potential cascading effects on dependent systems. Given the widespread use of Linux in European IT infrastructure, the vulnerability poses a tangible risk to network reliability and service continuity.
Mitigation Recommendations
To mitigate CVE-2024-50039, European organizations should: 1) Apply the latest Linux kernel patches that restrict acceptance of TCA_STAB to root qdisc only, thereby preventing unsafe configurations. 2) Audit and restrict administrative access to network configuration tools and interfaces to prevent unauthorized or accidental application of vulnerable qdisc settings. 3) Implement strict change management and monitoring for network scheduling configurations, especially those involving TBF and SFQ qdiscs. 4) Use kernel hardening and security modules (e.g., SELinux, AppArmor) to limit the capabilities of processes that can modify qdisc settings. 5) Employ system integrity monitoring to detect kernel crashes or oops events indicative of exploitation attempts. 6) For critical systems, consider isolating network scheduling configurations or using alternative traffic shaping mechanisms until patches are applied. 7) Engage in proactive fuzz testing and vulnerability scanning to identify similar misconfigurations or kernel issues. These steps go beyond generic advice by focusing on configuration management, access control, and monitoring specific to the nature of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.070Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfd9a
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 4:40:11 PM
Last updated: 8/17/2025, 6:29:33 PM
Views: 28
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.