{ "threat_severity" : "Moderate", "public_date" : "2024-09-11T00:00:00Z", "bugzilla" : { "description" : "kernel: netem: fix return value if duplicate enqueue fails", "id" : "2311713", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2311713" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetem: fix return value if duplicate enqueue fails\nThere is a bug in netem_enqueue() introduced by\ncommit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\")\nthat can lead to a use-after-free.\nThis commit made netem_enqueue() always return NET_XMIT_SUCCESS\nwhen a packet is duplicated, which can cause the parent qdisc's q.qlen\nto be mistakenly incremented. When this happens qlen_notify() may be\nskipped on the parent during destruction, leaving a dangling pointer\nfor some classful qdiscs like DRR.\nThere are two ways for the bug happen:\n- If the duplicated packet is dropped by rootq->enqueue() and then\nthe original packet is also dropped.\n- If rootq->enqueue() sends the duplicated packet to a different qdisc\nand the original packet is dropped.\nIn both cases NET_XMIT_SUCCESS is returned even though no packets\nare enqueued at the netem qdisc.\nThe fix is to defer the enqueue of the duplicate packet until after\nthe original packet has been guaranteed to return NET_XMIT_SUCCESS.", "A flaw use after free in the Linux kernel Network emulator (NETEM) functionality was found. A local user could use this flaw to crash the system or potentially escalate their privileges on the system." ], "statement" : "Red Hat Enterprise Linux starting from 8.10 versions are affected.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-45016\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45016\nhttps://lore.kernel.org/linux-cve-announce/2024091108-CVE-2024-45016-fd5a@gregkh/T" ], "name" : "CVE-2024-45016", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }