{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-29T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: Fix UAF when resolving a clash",
    "id" : "2300409",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2300409"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: Fix UAF when resolving a clash\nKASAN reports the following UAF:\nBUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\nRead of size 1 at addr ffff888c07603600 by task handler130/6469\nCall Trace:\n<IRQ>\ndump_stack_lvl+0x48/0x70\nprint_address_description.constprop.0+0x33/0x3d0\nprint_report+0xc0/0x2b0\nkasan_report+0xd0/0x120\n__asan_load1+0x6c/0x80\ntcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\ntcf_ct_act+0x886/0x1350 [act_ct]\ntcf_action_exec+0xf8/0x1f0\nfl_classify+0x355/0x360 [cls_flower]\n__tcf_classify+0x1fd/0x330\ntcf_classify+0x21c/0x3c0\nsch_handle_ingress.constprop.0+0x2c5/0x500\n__netif_receive_skb_core.constprop.0+0xb25/0x1510\n__netif_receive_skb_list_core+0x220/0x4c0\nnetif_receive_skb_list_internal+0x446/0x620\nnapi_complete_done+0x157/0x3d0\ngro_cell_poll+0xcf/0x100\n__napi_poll+0x65/0x310\nnet_rx_action+0x30c/0x5c0\n__do_softirq+0x14f/0x491\n__irq_exit_rcu+0x82/0xc0\nirq_exit_rcu+0xe/0x20\ncommon_interrupt+0xa1/0xb0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x27/0x40\nAllocated by task 6469:\nkasan_save_stack+0x38/0x70\nkasan_set_track+0x25/0x40\nkasan_save_alloc_info+0x1e/0x40\n__kasan_krealloc+0x133/0x190\nkrealloc+0xaa/0x130\nnf_ct_ext_add+0xed/0x230 [nf_conntrack]\ntcf_ct_act+0x1095/0x1350 [act_ct]\ntcf_action_exec+0xf8/0x1f0\nfl_classify+0x355/0x360 [cls_flower]\n__tcf_classify+0x1fd/0x330\ntcf_classify+0x21c/0x3c0\nsch_handle_ingress.constprop.0+0x2c5/0x500\n__netif_receive_skb_core.constprop.0+0xb25/0x1510\n__netif_receive_skb_list_core+0x220/0x4c0\nnetif_receive_skb_list_internal+0x446/0x620\nnapi_complete_done+0x157/0x3d0\ngro_cell_poll+0xcf/0x100\n__napi_poll+0x65/0x310\nnet_rx_action+0x30c/0x5c0\n__do_softirq+0x14f/0x491\nFreed by task 6469:\nkasan_save_stack+0x38/0x70\nkasan_set_track+0x25/0x40\nkasan_save_free_info+0x2b/0x60\n____kasan_slab_free+0x180/0x1f0\n__kasan_slab_free+0x12/0x30\nslab_free_freelist_hook+0xd2/0x1a0\n__kmem_cache_free+0x1a2/0x2f0\nkfree+0x78/0x120\nnf_conntrack_free+0x74/0x130 [nf_conntrack]\nnf_ct_destroy+0xb2/0x140 [nf_conntrack]\n__nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\nnf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n__nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\ntcf_ct_act+0x12ad/0x1350 [act_ct]\ntcf_action_exec+0xf8/0x1f0\nfl_classify+0x355/0x360 [cls_flower]\n__tcf_classify+0x1fd/0x330\ntcf_classify+0x21c/0x3c0\nsch_handle_ingress.constprop.0+0x2c5/0x500\n__netif_receive_skb_core.constprop.0+0xb25/0x1510\n__netif_receive_skb_list_core+0x220/0x4c0\nnetif_receive_skb_list_internal+0x446/0x620\nnapi_complete_done+0x157/0x3d0\ngro_cell_poll+0xcf/0x100\n__napi_poll+0x65/0x310\nnet_rx_action+0x30c/0x5c0\n__do_softirq+0x14f/0x491\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.", "A use-after-free vulnerability was found in the net/sshd tcf_ct_flow_table_process_conn of the Linux kernel. This flaw allows an attacker with a crafted payload to induce a system crash, resulting in a loss of system availability." ],
  "statement" : "Because exploitation of this flaw requires an attacker to have sufficient access to a system to generate significant amounts of spurious traffic, and because an attacker has very limited control over the consequences of the data corruption caused by this vulnerability, Red Hat assesses its impact as Moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-10-15T00:00:00Z",
    "advisory" : "RHSA-2024:8107",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.75.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-09-11T00:00:00Z",
    "advisory" : "RHSA-2024:6567",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.35.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-09-11T00:00:00Z",
    "advisory" : "RHSA-2024:6567",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.35.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-01-08T00:00:00Z",
    "advisory" : "RHSA-2025:0063",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.99.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-01-08T00:00:00Z",
    "advisory" : "RHSA-2025:0064",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.99.1.rt14.384.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-41040\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-41040\nhttps://lore.kernel.org/linux-cve-announce/2024072924-CVE-2024-41040-63d5@gregkh/T" ],
  "name" : "CVE-2024-41040",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}