CVE-2024-41040: net/sched: Fix UAF when resolving a clash

Published Jul 29, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Fix UAF when resolving a clash

KASAN reports the following UAF:

BUG: KASAN: slab-use-after-free in tcfctflowtableprocessconn+0x12b/0x380 [actct] Read of size 1 at addr ffff888c07603600 by task handler130/6469

Call Trace: <IRQ> dumpstacklvl+0x48/0x70 printaddressdescription.constprop.0+0x33/0x3d0 printreport+0xc0/0x2b0 kasanreport+0xd0/0x120 asanload1+0x6c/0x80 tcfctflowtableprocessconn+0x12b/0x380 [actct] tcfctact+0x886/0x1350 [actct] tcfactionexec+0xf8/0x1f0 flclassify+0x355/0x360 [clsflower] tcfclassify+0x1fd/0x330 tcfclassify+0x21c/0x3c0 schhandleingress.constprop.0+0x2c5/0x500 netifreceiveskbcore.constprop.0+0xb25/0x1510 netifreceiveskblistcore+0x220/0x4c0 netifreceiveskblistinternal+0x446/0x620 napicompletedone+0x157/0x3d0 grocellpoll+0xcf/0x100 napipoll+0x65/0x310 netrxaction+0x30c/0x5c0 dosoftirq+0x14f/0x491 irqexitrcu+0x82/0xc0 irqexitrcu+0xe/0x20 commoninterrupt+0xa1/0xb0 </IRQ> <TASK> asmcommoninterrupt+0x27/0x40

Allocated by task 6469: kasansavestack+0x38/0x70 kasansettrack+0x25/0x40 kasansaveallocinfo+0x1e/0x40 kasankrealloc+0x133/0x190 krealloc+0xaa/0x130 nfctextadd+0xed/0x230 [nfconntrack] tcfctact+0x1095/0x1350 [actct] tcfactionexec+0xf8/0x1f0 flclassify+0x355/0x360 [clsflower] tcfclassify+0x1fd/0x330 tcfclassify+0x21c/0x3c0 schhandleingress.constprop.0+0x2c5/0x500 netifreceiveskbcore.constprop.0+0xb25/0x1510 netifreceiveskblistcore+0x220/0x4c0 netifreceiveskblistinternal+0x446/0x620 napicompletedone+0x157/0x3d0 grocellpoll+0xcf/0x100 napipoll+0x65/0x310 netrxaction+0x30c/0x5c0 dosoftirq+0x14f/0x491

Freed by task 6469: kasansavestack+0x38/0x70 kasansettrack+0x25/0x40 kasansavefreeinfo+0x2b/0x60 kasanslabfree+0x180/0x1f0 kasanslabfree+0x12/0x30 slabfreefreelisthook+0xd2/0x1a0 kmemcachefree+0x1a2/0x2f0 kfree+0x78/0x120 nfconntrackfree+0x74/0x130 [nfconntrack] nfctdestroy+0xb2/0x140 [nfconntrack] nfctresolveclash+0x529/0x5d0 [nfconntrack] nfctresolveclash+0xf6/0x490 [nfconntrack] nfconntrackconfirm+0x2c6/0x770 [nfconntrack] tcfctact+0x12ad/0x1350 [actct] tcfactionexec+0xf8/0x1f0 flclassify+0x355/0x360 [clsflower] tcfclassify+0x1fd/0x330 tcfclassify+0x21c/0x3c0 schhandleingress.constprop.0+0x2c5/0x500 netifreceiveskbcore.constprop.0+0xb25/0x1510 netifreceiveskblistcore+0x220/0x4c0 netifreceiveskblistinternal+0x446/0x620 napicompletedone+0x157/0x3d0 grocellpoll+0xcf/0x100 napipoll+0x65/0x310 netrxaction+0x30c/0x5c0 dosoftirq+0x14f/0x491

The ct may be dropped if a clash has been resolved but is still passed to the tcfctflowtableprocessconn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack.

Other sources

Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free flaw when resolving a clash. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

This CVE was automatically created from a reference found in an email or other text. If you are reading this, then this CVE entry is probably erroneous, since this text should be replaced by the official CVE description automatically.

Launchpad

Affected Software

18 affected componentsFixes available
Linux Linux kernel>=5.10.43<5.10.222
Linux Linux kernel>=5.12.10<5.13
Linux Linux kernel>=5.13<5.15.163
Linux Linux kernel>=5.16<6.1.100
Linux Linux kernel>=6.2<6.6.41
Linux Linux kernel>=6.7<6.9.10
redhat/kernel<5.10.222
5.10.222
redhat/kernel<5.15.163
5.15.163
redhat/kernel<6.1.100
6.1.100
redhat/kernel<6.6.41
6.6.41
redhat/kernel<6.9.10
6.9.10
redhat/kernel<6.10
6.10
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
debian/linux-6.1
6.1.129-1~deb11u1

Remediation

Patch Available

https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3

Patch Available

https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f

Patch Available

https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae

Patch Available

https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932

Patch Available

https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55

Patch Available

https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e

Patch Available

https://git.kernel.org/linus/0cc254e5aa37cf05f65bcdcdc0ac5c58010feb33

Patch Available

https://git.kernel.org/linus/26488172b0292bed837b95a006a3f3431d1898c3

Event History

Jul 29, 2024
CVE Published
via MITRE·02:31 PM
Data Sourced
via MITRE·02:31 PM
Description
Data Sourced
via NVD·03:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Oct 25, 2024
Data Sourced
via Launchpad·04:40 PM
Description
May 1, 2025
Data Sourced
via Ubuntu·06:17 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-41040?

CVE-2024-41040 has been classified as a critical vulnerability due to its impact on the Linux kernel's stability.

2

How do I fix CVE-2024-41040?

To resolve CVE-2024-41040, upgrade your Linux kernel to a version equal to or greater than 5.10.223, 5.15.163, 6.1.100, 6.6.41, or 6.9.10.

3

Which Linux kernel versions are affected by CVE-2024-41040?

CVE-2024-41040 affects Linux kernel versions from 5.10.43 up to 5.10.222, 5.12.10 up to 5.13, and specific ranges of other versions up to 6.9.10.

4

What type of vulnerability is CVE-2024-41040?

CVE-2024-41040 is a use-after-free vulnerability that could allow an attacker to exploit the kernel.

5

Who resolved CVE-2024-41040?

The vulnerability CVE-2024-41040 was addressed by the Linux kernel development team.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203