CVE-2024-57795: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> " 1). In the link [1], " infiniband syz2: set down " This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq. 2). In the link [1], " team0 (unregistering): Port device team_slave_0 removed " It indicates that before 843.251853, the net device should be freed. 3). In the link [1], " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 " This means that on 850.559070, this slab-use-after-free problem occurred. In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq, before 843.251853, the net device veth was freed. on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
AI Analysis
Technical Summary
CVE-2024-57795 is a high-severity use-after-free vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically affecting the RXE (RDMA over Converged Ethernet) driver. The vulnerability arises due to improper handling of network device references within the kernel's infiniband software stack. The root cause is that an event (ib_cache_event_task) related to the infiniband cache is queued and executed after the associated network device (net_device) has been freed, leading to a use-after-free condition. This is evidenced by the KASAN (Kernel Address Sanitizer) slab-use-after-free error in the dev_get_flags function, which attempts to access freed memory. The issue was identified through kernel debugging and syzkaller fuzzing logs, showing a timeline where the event is queued, the device is freed, and then the event handler accesses the freed device, causing the crash. The vulnerability affects Linux kernel versions including the commit referenced (8700e3e7c4857d28ebaa824509934556da0b3e76). The CVSS v3.1 score is 7.8, indicating high severity, with an attack vector of local (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation could allow a local attacker with limited privileges to cause kernel crashes (denial of service) or potentially escalate privileges by exploiting the use-after-free condition. The patch involves removing the direct link to net_device in the RXE driver to prevent stale references. No known exploits are reported in the wild yet, but the vulnerability is critical due to its potential impact on system stability and security.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux servers with RDMA capabilities, commonly used in high-performance computing, data centers, and cloud infrastructures. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical services. More seriously, the use-after-free flaw could be leveraged for privilege escalation, threatening confidentiality and integrity of sensitive data. Organizations running RDMA-enabled Linux kernels in production environments, including financial institutions, research centers, and cloud service providers, may face operational disruptions and increased risk of targeted attacks. Given the local attack vector, insider threats or compromised user accounts could exploit this vulnerability. The lack of user interaction requirement increases the risk of automated or scripted exploitation once local access is obtained. The vulnerability also affects virtualized environments using RDMA passthrough or similar technologies, which are prevalent in European cloud data centers, amplifying potential impact.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that remove the direct net_device references in the RXE driver to eliminate the use-after-free condition. Until patches are deployed, organizations should restrict local access to systems running vulnerable kernels, enforce strict privilege separation, and monitor for unusual kernel crashes or logs indicating use-after-free errors. Disabling RDMA or the RXE driver temporarily on non-critical systems can reduce exposure. Security teams should audit systems for the affected kernel versions and prioritize patching on servers with RDMA enabled. Additionally, implementing kernel live patching solutions where available can minimize downtime during remediation. Monitoring kernel logs for KASAN reports or related errors can help detect exploitation attempts. Finally, organizations should review and tighten access controls to limit local user privileges and prevent unauthorized code execution that could trigger this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium
CVE-2024-57795: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> " 1). In the link [1], " infiniband syz2: set down " This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq. 2). In the link [1], " team0 (unregistering): Port device team_slave_0 removed " It indicates that before 843.251853, the net device should be freed. 3). In the link [1], " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 " This means that on 850.559070, this slab-use-after-free problem occurred. In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq, before 843.251853, the net device veth was freed. on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
AI-Powered Analysis
Technical Analysis
CVE-2024-57795 is a high-severity use-after-free vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically affecting the RXE (RDMA over Converged Ethernet) driver. The vulnerability arises due to improper handling of network device references within the kernel's infiniband software stack. The root cause is that an event (ib_cache_event_task) related to the infiniband cache is queued and executed after the associated network device (net_device) has been freed, leading to a use-after-free condition. This is evidenced by the KASAN (Kernel Address Sanitizer) slab-use-after-free error in the dev_get_flags function, which attempts to access freed memory. The issue was identified through kernel debugging and syzkaller fuzzing logs, showing a timeline where the event is queued, the device is freed, and then the event handler accesses the freed device, causing the crash. The vulnerability affects Linux kernel versions including the commit referenced (8700e3e7c4857d28ebaa824509934556da0b3e76). The CVSS v3.1 score is 7.8, indicating high severity, with an attack vector of local (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation could allow a local attacker with limited privileges to cause kernel crashes (denial of service) or potentially escalate privileges by exploiting the use-after-free condition. The patch involves removing the direct link to net_device in the RXE driver to prevent stale references. No known exploits are reported in the wild yet, but the vulnerability is critical due to its potential impact on system stability and security.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux servers with RDMA capabilities, commonly used in high-performance computing, data centers, and cloud infrastructures. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical services. More seriously, the use-after-free flaw could be leveraged for privilege escalation, threatening confidentiality and integrity of sensitive data. Organizations running RDMA-enabled Linux kernels in production environments, including financial institutions, research centers, and cloud service providers, may face operational disruptions and increased risk of targeted attacks. Given the local attack vector, insider threats or compromised user accounts could exploit this vulnerability. The lack of user interaction requirement increases the risk of automated or scripted exploitation once local access is obtained. The vulnerability also affects virtualized environments using RDMA passthrough or similar technologies, which are prevalent in European cloud data centers, amplifying potential impact.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that remove the direct net_device references in the RXE driver to eliminate the use-after-free condition. Until patches are deployed, organizations should restrict local access to systems running vulnerable kernels, enforce strict privilege separation, and monitor for unusual kernel crashes or logs indicating use-after-free errors. Disabling RDMA or the RXE driver temporarily on non-critical systems can reduce exposure. Security teams should audit systems for the affected kernel versions and prioritize patching on servers with RDMA enabled. Additionally, implementing kernel live patching solutions where available can minimize downtime during remediation. Monitoring kernel logs for KASAN reports or related errors can help detect exploitation attempts. Finally, organizations should review and tighten access controls to limit local user privileges and prevent unauthorized code execution that could trigger this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-15T13:08:59.657Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde86b
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 10:27:09 PM
Last updated: 8/13/2025, 10:52:38 AM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.