CVE-2024-50162: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* does not have it set. This is particularly bad since accessing ingress_ifindex, e.g. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk("ifindex %i", pkt->ingress_ifindex); return XDP_PASS; } depends on access to rxq, so a NULL pointer gets dereferenced: <1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: error_code(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mld_ifc_work <4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? __die+0x23/0x70 <4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 <4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 <4>[ 574.475346] ? kmem_cache_free+0x257/0x280 <4>[ 574.475357] ? exc_page_fault+0x67/0x150 <4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30 <4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475386] bq_xmit_all+0x158/0x420 <4>[ 574.475397] __dev_flush+0x30/0x90 <4>[ 574.475407] veth_poll+0x216/0x250 [veth] <4>[ 574.475421] __napi_poll+0x28/0x1c0 <4>[ 574.475430] net_rx_action+0x32d/0x3a0 <4>[ 574.475441] handle_softirqs+0xcb/0x2c0 <4>[ 574.475451] do_softirq+0x40/0x60 <4>[ 574.475458] </IRQ> <4>[ 574.475461] <TASK> <4>[ 574.475464] __local_bh_enable_ip+0x66/0x70 <4>[ 574.475471] __dev_queue_xmit+0x268/0xe40 <4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420 <4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0 <4>[ 574.475502] ip6_finish_output2+0x2be/0x640 <4>[ 574.475512] ? nf_hook_slow+0x42/0xf0 <4>[ 574.475521] ip6_finish_output+0x194/0x300 <4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 <4>[ 574.475538] mld_sendpack+0x17c/0x240 <4>[ 574.475548] mld_ifc_work+0x192/0x410 <4>[ 574.475557] process_one_work+0x15d/0x380 <4>[ 574.475566] worker_thread+0x29d/0x3a0 <4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10 <4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10 <4>[ 574.475587] kthread+0xcd/0x100 <4>[ 574.475597] ? __pfx_kthread+0x10/0x10 <4>[ 574.475606] ret_from_fork+0x31/0x50 <4>[ 574.475615] ? __pfx_kthread+0x10/0x10 <4>[ 574.475623] ret_from_fork_asm+0x1a/0x ---truncated---
AI Analysis
Technical Summary
CVE-2024-50162 is a vulnerability in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the BPF_MAP_TYPE_DEVMAP and the handling of the rxq pointer after a redirect operation. The issue arises because after a redirect via a devmap, the rxq pointer, which should reference the device from which the redirect originated, is not properly set. This leads to a NULL pointer dereference when BPF programs attempt to access ingress_ifindex or other fields dependent on rxq. The vulnerability manifests as a kernel NULL pointer dereference, causing a kernel oops and potential system crash. The provided kernel log excerpt shows the crash occurring in a BPF program executed after redirect, with detailed stack traces confirming the fault in the bpf_prog_after_redirect function. This bug affects Linux kernel versions around 6.11.0-rc5 and likely others using similar BPF devmap implementations. While the vulnerability does not appear to be exploitable for privilege escalation or arbitrary code execution, it can cause denial of service (DoS) by crashing the kernel. The vulnerability is triggered by crafted BPF programs that perform redirects via devmap and subsequently access the ingress_ifindex, leading to dereferencing a NULL pointer. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The root cause is a missing initialization of the rxq pointer after redirect, which the patch aims to fix by ensuring rxq is properly set before BPF program execution continues.
Potential Impact
For European organizations, the primary impact of CVE-2024-50162 is the risk of denial of service on Linux systems that utilize eBPF devmap redirects, particularly in environments leveraging advanced networking features such as XDP (Express Data Path) for high-performance packet processing. This vulnerability could cause unexpected kernel crashes, leading to system downtime, service interruptions, and potential disruption of critical infrastructure relying on Linux servers or network appliances. Organizations running containerized workloads, cloud-native applications, or network functions that employ eBPF for packet filtering or redirection are especially at risk. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability could be exploited by attackers to cause persistent denial of service, impacting availability. Given the widespread use of Linux in European data centers, telecom infrastructure, and enterprise environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and telecommunications. The lack of known exploits reduces immediate risk, but the potential for DoS in critical systems necessitates prompt attention.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available. Monitor Linux kernel mailing lists and vendor advisories for updates. 2. For organizations using custom or long-term support (LTS) kernels, backport the patch or upgrade to a kernel version that includes the fix. 3. Audit and review BPF programs in use, especially those employing BPF_MAP_TYPE_DEVMAP and redirect operations, to identify any that access ingress_ifindex or rely on rxq pointers. Temporarily disable or restrict such BPF programs until patched kernels are deployed. 4. Implement kernel crash monitoring and alerting to detect and respond quickly to any kernel oops or crashes potentially related to this vulnerability. 5. Limit access to load and execute BPF programs to trusted users and processes only, reducing the risk of malicious or malformed BPF code triggering the issue. 6. Employ network segmentation and isolation for systems running vulnerable kernels to minimize impact scope in case of crashes. 7. Engage with Linux distribution vendors for security advisories and timely patch releases tailored to your environment. 8. Consider fallback or redundancy mechanisms for critical systems to maintain availability during patch deployment or incident response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-50162: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* does not have it set. This is particularly bad since accessing ingress_ifindex, e.g. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk("ifindex %i", pkt->ingress_ifindex); return XDP_PASS; } depends on access to rxq, so a NULL pointer gets dereferenced: <1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: error_code(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mld_ifc_work <4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? __die+0x23/0x70 <4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 <4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 <4>[ 574.475346] ? kmem_cache_free+0x257/0x280 <4>[ 574.475357] ? exc_page_fault+0x67/0x150 <4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30 <4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475386] bq_xmit_all+0x158/0x420 <4>[ 574.475397] __dev_flush+0x30/0x90 <4>[ 574.475407] veth_poll+0x216/0x250 [veth] <4>[ 574.475421] __napi_poll+0x28/0x1c0 <4>[ 574.475430] net_rx_action+0x32d/0x3a0 <4>[ 574.475441] handle_softirqs+0xcb/0x2c0 <4>[ 574.475451] do_softirq+0x40/0x60 <4>[ 574.475458] </IRQ> <4>[ 574.475461] <TASK> <4>[ 574.475464] __local_bh_enable_ip+0x66/0x70 <4>[ 574.475471] __dev_queue_xmit+0x268/0xe40 <4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420 <4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0 <4>[ 574.475502] ip6_finish_output2+0x2be/0x640 <4>[ 574.475512] ? nf_hook_slow+0x42/0xf0 <4>[ 574.475521] ip6_finish_output+0x194/0x300 <4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 <4>[ 574.475538] mld_sendpack+0x17c/0x240 <4>[ 574.475548] mld_ifc_work+0x192/0x410 <4>[ 574.475557] process_one_work+0x15d/0x380 <4>[ 574.475566] worker_thread+0x29d/0x3a0 <4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10 <4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10 <4>[ 574.475587] kthread+0xcd/0x100 <4>[ 574.475597] ? __pfx_kthread+0x10/0x10 <4>[ 574.475606] ret_from_fork+0x31/0x50 <4>[ 574.475615] ? __pfx_kthread+0x10/0x10 <4>[ 574.475623] ret_from_fork_asm+0x1a/0x ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50162 is a vulnerability in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the BPF_MAP_TYPE_DEVMAP and the handling of the rxq pointer after a redirect operation. The issue arises because after a redirect via a devmap, the rxq pointer, which should reference the device from which the redirect originated, is not properly set. This leads to a NULL pointer dereference when BPF programs attempt to access ingress_ifindex or other fields dependent on rxq. The vulnerability manifests as a kernel NULL pointer dereference, causing a kernel oops and potential system crash. The provided kernel log excerpt shows the crash occurring in a BPF program executed after redirect, with detailed stack traces confirming the fault in the bpf_prog_after_redirect function. This bug affects Linux kernel versions around 6.11.0-rc5 and likely others using similar BPF devmap implementations. While the vulnerability does not appear to be exploitable for privilege escalation or arbitrary code execution, it can cause denial of service (DoS) by crashing the kernel. The vulnerability is triggered by crafted BPF programs that perform redirects via devmap and subsequently access the ingress_ifindex, leading to dereferencing a NULL pointer. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The root cause is a missing initialization of the rxq pointer after redirect, which the patch aims to fix by ensuring rxq is properly set before BPF program execution continues.
Potential Impact
For European organizations, the primary impact of CVE-2024-50162 is the risk of denial of service on Linux systems that utilize eBPF devmap redirects, particularly in environments leveraging advanced networking features such as XDP (Express Data Path) for high-performance packet processing. This vulnerability could cause unexpected kernel crashes, leading to system downtime, service interruptions, and potential disruption of critical infrastructure relying on Linux servers or network appliances. Organizations running containerized workloads, cloud-native applications, or network functions that employ eBPF for packet filtering or redirection are especially at risk. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability could be exploited by attackers to cause persistent denial of service, impacting availability. Given the widespread use of Linux in European data centers, telecom infrastructure, and enterprise environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and telecommunications. The lack of known exploits reduces immediate risk, but the potential for DoS in critical systems necessitates prompt attention.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available. Monitor Linux kernel mailing lists and vendor advisories for updates. 2. For organizations using custom or long-term support (LTS) kernels, backport the patch or upgrade to a kernel version that includes the fix. 3. Audit and review BPF programs in use, especially those employing BPF_MAP_TYPE_DEVMAP and redirect operations, to identify any that access ingress_ifindex or rely on rxq pointers. Temporarily disable or restrict such BPF programs until patched kernels are deployed. 4. Implement kernel crash monitoring and alerting to detect and respond quickly to any kernel oops or crashes potentially related to this vulnerability. 5. Limit access to load and execute BPF programs to trusted users and processes only, reducing the risk of malicious or malformed BPF code triggering the issue. 6. Employ network segmentation and isolation for systems running vulnerable kernels to minimize impact scope in case of crashes. 7. Engage with Linux distribution vendors for security advisories and timely patch releases tailored to your environment. 8. Consider fallback or redundancy mechanisms for critical systems to maintain availability during patch deployment or incident response.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.961Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe014e
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 5:57:09 PM
Last updated: 7/29/2025, 3:04:55 AM
Views: 11
Related Threats
CVE-2025-8989: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8987: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.