{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-05T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: sched: use RCU read-side critical section in taprio_dump()",
    "id" : "2323924",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2323924"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: sched: use RCU read-side critical section in taprio_dump()\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862]  dump_backtrace+0x20c/0x220\n[T15862]  show_stack+0x2c/0x40\n[T15862]  dump_stack_lvl+0xf8/0x174\n[T15862]  print_report+0x170/0x4d8\n[T15862]  kasan_report+0xb8/0x1d4\n[T15862]  __asan_report_load4_noabort+0x20/0x2c\n[T15862]  taprio_dump+0xa0c/0xbb0\n[T15862]  tc_fill_qdisc+0x540/0x1020\n[T15862]  qdisc_notify.isra.0+0x330/0x3a0\n[T15862]  tc_modify_qdisc+0x7b8/0x1838\n[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862]  netlink_rcv_skb+0x1f8/0x3d4\n[T15862]  rtnetlink_rcv+0x28/0x40\n[T15862]  netlink_unicast+0x51c/0x790\n[T15862]  netlink_sendmsg+0x79c/0xc20\n[T15862]  __sock_sendmsg+0xe0/0x1a0\n[T15862]  ____sys_sendmsg+0x6c0/0x840\n[T15862]  ___sys_sendmsg+0x1ac/0x1f0\n[T15862]  __sys_sendmsg+0x110/0x1d0\n[T15862]  __arm64_sys_sendmsg+0x74/0xb0\n[T15862]  invoke_syscall+0x88/0x2e0\n[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862]  do_el0_svc+0x44/0x60\n[T15862]  el0_svc+0x50/0x184\n[T15862]  el0t_64_sync_handler+0x120/0x12c\n[T15862]  el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862]  kasan_save_stack+0x3c/0x70\n[T15862]  kasan_save_track+0x20/0x3c\n[T15862]  kasan_save_alloc_info+0x40/0x60\n[T15862]  __kasan_kmalloc+0xd4/0xe0\n[T15862]  __kmalloc_cache_noprof+0x194/0x334\n[T15862]  taprio_change+0x45c/0x2fe0\n[T15862]  tc_modify_qdisc+0x6a8/0x1838\n[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862]  netlink_rcv_skb+0x1f8/0x3d4\n[T15862]  rtnetlink_rcv+0x28/0x40\n[T15862]  netlink_unicast+0x51c/0x790\n[T15862]  netlink_sendmsg+0x79c/0xc20\n[T15862]  __sock_sendmsg+0xe0/0x1a0\n[T15862]  ____sys_sendmsg+0x6c0/0x840\n[T15862]  ___sys_sendmsg+0x1ac/0x1f0\n[T15862]  __sys_sendmsg+0x110/0x1d0\n[T15862]  __arm64_sys_sendmsg+0x74/0xb0\n[T15862]  invoke_syscall+0x88/0x2e0\n[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862]  do_el0_svc+0x44/0x60\n[T15862]  el0_svc+0x50/0x184\n[T15862]  el0t_64_sync_handler+0x120/0x12c\n[T15862]  el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862]  kasan_save_stack+0x3c/0x70\n[T15862]  kasan_save_track+0x20/0x3c\n[T15862]  kasan_save_free_info+0x4c/0x80\n[T15862]  poison_slab_object+0x110/0x160\n[T15862]  __kasan_slab_free+0x3c/0x74\n[T15862]  kfree+0x134/0x3c0\n[T15862]  taprio_free_sched_cb+0x18c/0x220\n[T15862]  rcu_core+0x920/0x1b7c\n[T15862]  rcu_core_si+0x10/0x1c\n[T15862]  handle_softirqs+0x2e8/0xd64\n[T15862]  __do_softirq+0x14/0x20", "A use-after-free vulnerability was found in the taprio_dump() function in the Linux kernel." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50126\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50126\nhttps://lore.kernel.org/linux-cve-announce/2024110557-CVE-2024-50126-733b@gregkh/T" ],
  "name" : "CVE-2024-50126",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}