CVE-2024-50126: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20
AI Analysis
Technical Summary
CVE-2024-50126 is a high-severity vulnerability identified in the Linux kernel, specifically within the network scheduling subsystem's taprio_dump() function. The flaw is a use-after-free condition, classified under CWE-416, which occurs due to improper handling of memory in the taprio_dump() function. The vulnerability was discovered on an ARM64 architecture system with Kernel Address Sanitizer (KASAN) enabled, although it has not been observed on x86 platforms. The root cause is the absence of an RCU (Read-Copy-Update) read-side critical section in taprio_dump(), which leads to a potential use of freed memory. This can cause kernel crashes or potentially allow an attacker to execute arbitrary code with kernel privileges. The vulnerability arises during the processing of traffic control (tc) netlink messages, specifically when modifying queuing disciplines (qdiscs) related to time-aware priority scheduling (taprio). The attack vector requires local privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L) but no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as exploitation can lead to kernel-level code execution or denial of service. The vulnerability affects Linux kernel versions identified by the commit hash 18cdd2f0998a4967b1fff4c43ed9aef049e42c39 and likely subsequent versions until patched. No known exploits are currently in the wild, but the presence of a patch is implied though no direct patch links are provided. The CVSS v3.1 score is 7.8, reflecting the significant risk posed by this vulnerability.
Potential Impact
For European organizations, this vulnerability poses a serious risk, especially for those relying on Linux-based infrastructure for networking, servers, and embedded systems. The use-after-free flaw in the kernel's network scheduling subsystem could be exploited by a local attacker to escalate privileges, execute arbitrary code in kernel space, or cause system crashes leading to denial of service. This can disrupt critical services, including telecommunications, cloud services, and industrial control systems that use Linux. Given the widespread deployment of Linux in European data centers, government agencies, and enterprises, exploitation could lead to data breaches, service outages, and compromise of sensitive information. The vulnerability's requirement for local access means that attackers would need some foothold on the system, but insider threats or compromised accounts could leverage this flaw to gain full control. The impact is heightened in environments using ARM64 architectures, which are increasingly common in edge computing and IoT devices across Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-50126. Since the vulnerability involves the taprio_dump() function and RCU critical sections, applying the latest stable kernel patches from trusted sources is essential. Organizations should audit their systems to identify Linux hosts running affected kernel versions, especially those on ARM64 platforms. Restrict local access to trusted users and implement strict privilege management to reduce the risk of exploitation. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Network administrators should monitor netlink traffic and tc qdisc modifications for unusual activity. For embedded and IoT devices, coordinate with vendors to ensure timely firmware updates. Additionally, consider deploying runtime security tools that can detect anomalous kernel behavior or memory corruption attempts. Regularly review and update incident response plans to handle potential kernel-level compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-50126: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20
AI-Powered Analysis
Technical Analysis
CVE-2024-50126 is a high-severity vulnerability identified in the Linux kernel, specifically within the network scheduling subsystem's taprio_dump() function. The flaw is a use-after-free condition, classified under CWE-416, which occurs due to improper handling of memory in the taprio_dump() function. The vulnerability was discovered on an ARM64 architecture system with Kernel Address Sanitizer (KASAN) enabled, although it has not been observed on x86 platforms. The root cause is the absence of an RCU (Read-Copy-Update) read-side critical section in taprio_dump(), which leads to a potential use of freed memory. This can cause kernel crashes or potentially allow an attacker to execute arbitrary code with kernel privileges. The vulnerability arises during the processing of traffic control (tc) netlink messages, specifically when modifying queuing disciplines (qdiscs) related to time-aware priority scheduling (taprio). The attack vector requires local privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L) but no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as exploitation can lead to kernel-level code execution or denial of service. The vulnerability affects Linux kernel versions identified by the commit hash 18cdd2f0998a4967b1fff4c43ed9aef049e42c39 and likely subsequent versions until patched. No known exploits are currently in the wild, but the presence of a patch is implied though no direct patch links are provided. The CVSS v3.1 score is 7.8, reflecting the significant risk posed by this vulnerability.
Potential Impact
For European organizations, this vulnerability poses a serious risk, especially for those relying on Linux-based infrastructure for networking, servers, and embedded systems. The use-after-free flaw in the kernel's network scheduling subsystem could be exploited by a local attacker to escalate privileges, execute arbitrary code in kernel space, or cause system crashes leading to denial of service. This can disrupt critical services, including telecommunications, cloud services, and industrial control systems that use Linux. Given the widespread deployment of Linux in European data centers, government agencies, and enterprises, exploitation could lead to data breaches, service outages, and compromise of sensitive information. The vulnerability's requirement for local access means that attackers would need some foothold on the system, but insider threats or compromised accounts could leverage this flaw to gain full control. The impact is heightened in environments using ARM64 architectures, which are increasingly common in edge computing and IoT devices across Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-50126. Since the vulnerability involves the taprio_dump() function and RCU critical sections, applying the latest stable kernel patches from trusted sources is essential. Organizations should audit their systems to identify Linux hosts running affected kernel versions, especially those on ARM64 platforms. Restrict local access to trusted users and implement strict privilege management to reduce the risk of exploitation. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Network administrators should monitor netlink traffic and tc qdisc modifications for unusual activity. For embedded and IoT devices, coordinate with vendors to ensure timely firmware updates. Additionally, consider deploying runtime security tools that can detect anomalous kernel behavior or memory corruption attempts. Regularly review and update incident response plans to handle potential kernel-level compromises.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.954Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0006
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 7/2/2025, 11:57:15 PM
Last updated: 8/5/2025, 2:16:21 AM
Views: 18
Related Threats
CVE-2025-8285: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54525: CWE-1287: Improper Validation of Specified Type of Input in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54478: CWE-306: Missing Authentication for Critical Function in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54463: CWE-754: Improper Check for Unusual or Exceptional Conditions in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54458: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.