{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: macsec: Fix use-after-free while sending the offloading packet",
    "id" : "2324901",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2324901"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmacsec: Fix use-after-free while sending the offloading packet\nKASAN reports the following UAF. The metadata_dst, which is used to\nstore the SCI value for macsec offload, is already freed by\nmetadata_dst_free() in macsec_free_netdev(), while driver still use it\nfor sending the packet.\nTo fix this issue, dst_release() is used instead to release\nmetadata_dst. So it is not freed instantly in macsec_free_netdev() if\nstill referenced by skb.\nBUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\nRead of size 2 at addr ffff88813e42e038 by task kworker/7:2/714\n[...]\nWorkqueue: mld mld_ifc_work\nCall Trace:\n<TASK>\ndump_stack_lvl+0x51/0x60\nprint_report+0xc1/0x600\nkasan_report+0xab/0xe0\nmlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\ndev_hard_start_xmit+0x120/0x530\nsch_direct_xmit+0x149/0x11e0\n__qdisc_run+0x3ad/0x1730\n__dev_queue_xmit+0x1196/0x2ed0\nvlan_dev_hard_start_xmit+0x32e/0x510 [8021q]\ndev_hard_start_xmit+0x120/0x530\n__dev_queue_xmit+0x14a7/0x2ed0\nmacsec_start_xmit+0x13e9/0x2340\ndev_hard_start_xmit+0x120/0x530\n__dev_queue_xmit+0x14a7/0x2ed0\nip6_finish_output2+0x923/0x1a70\nip6_finish_output+0x2d7/0x970\nip6_output+0x1ce/0x3a0\nNF_HOOK.constprop.0+0x15f/0x190\nmld_sendpack+0x59a/0xbd0\nmld_ifc_work+0x48a/0xa80\nprocess_one_work+0x5aa/0xe50\nworker_thread+0x79c/0x1290\nkthread+0x28f/0x350\nret_from_fork+0x2d/0x70\nret_from_fork_asm+0x11/0x20\n</TASK>\nAllocated by task 3922:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x10/0x30\n__kasan_kmalloc+0x77/0x90\n__kmalloc_noprof+0x188/0x400\nmetadata_dst_alloc+0x1f/0x4e0\nmacsec_newlink+0x914/0x1410\n__rtnl_newlink+0xe08/0x15b0\nrtnl_newlink+0x5f/0x90\nrtnetlink_rcv_msg+0x667/0xa80\nnetlink_rcv_skb+0x12c/0x360\nnetlink_unicast+0x551/0x770\nnetlink_sendmsg+0x72d/0xbd0\n__sock_sendmsg+0xc5/0x190\n____sys_sendmsg+0x52e/0x6a0\n___sys_sendmsg+0xeb/0x170\n__sys_sendmsg+0xb5/0x140\ndo_syscall_64+0x4c/0x100\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\nFreed by task 4011:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x10/0x30\nkasan_save_free_info+0x37/0x50\npoison_slab_object+0x10c/0x190\n__kasan_slab_free+0x11/0x30\nkfree+0xe0/0x290\nmacsec_free_netdev+0x3f/0x140\nnetdev_run_todo+0x450/0xc70\nrtnetlink_rcv_msg+0x66f/0xa80\nnetlink_rcv_skb+0x12c/0x360\nnetlink_unicast+0x551/0x770\nnetlink_sendmsg+0x72d/0xbd0\n__sock_sendmsg+0xc5/0x190\n____sys_sendmsg+0x52e/0x6a0\n___sys_sendmsg+0xeb/0x170\n__sys_sendmsg+0xb5/0x140\ndo_syscall_64+0x4c/0x100\nentry_SYSCALL_64_after_hwframe+0x4b/0x53", "A use-after-free vulnerability was found in the Linux kernel. The metadata_dst, which is used to store the SCI value for macsec offload, is freed by metadata_dst_free() in macsec_free_netdev(), while the driver still uses it to send the packet." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50261\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50261\nhttps://lore.kernel.org/linux-cve-announce/2024110940-CVE-2024-50261-3a20@gregkh/T" ],
  "name" : "CVE-2024-50261",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}