CVE-2024-53088: i40e: fix race condition by adding filter's intermediate sync state

Published Nov 19, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

i40e: fix race condition by adding filter's intermediate sync state

Fix a race condition in the i40e driver that leads to MAC/VLAN filters becoming corrupted and leaking. Address the issue that occurs under heavy load when multiple threads are concurrently modifying MAC/VLAN filters by setting mac and port VLAN.

1. Thread T0 allocates a filter in i40eaddfilter() within i40endosetvfportvlan(). 2. Thread T1 concurrently frees the filter in i40edelfilter() within i40endosetvfmac(). 3. Subsequently, i40eservicetask() calls i40esyncvsifilters(), which refers to the already freed filter memory, causing corruption.

Reproduction steps: 1. Spawn multiple VFs. 2. Apply a concurrent heavy load by running parallel operations to change MAC addresses on the VFs and change port VLANs on the host. 3. Observe errors in dmesg: "Error I40EAQRCENOSPC adding RX filters on VF XX, please set promiscuous on manually for VF XX".

Exact code for stable reproduction Intel can't open-source now.

The fix involves implementing a new intermediate filter state, I40EFILTERNEWSYNC, for the time when a filter is on a tmpaddlist. These filters cannot be deleted from the hash list directly but must be removed using the full process.

Other sources

This CVE was automatically created from a reference found in an email or other text. If you are reading this, then this CVE entry is probably erroneous, since this text should be replaced by the official CVE description automatically.

Launchpad

Affected Software

14 affected componentsFixes available
Linux Linux kernel>=4.10<5.15.172
Linux Linux kernel>=5.16<6.1.117
Linux Linux kernel>=6.2<6.6.61
Linux Linux kernel>=6.7<6.11.8
Linux Linux kernel=6.12-rc1
Linux Linux kernel=6.12-rc2
Linux Linux kernel=6.12-rc3
Linux Linux kernel=6.12-rc4
Linux Linux kernel=6.12-rc5
Linux Linux kernel=6.12-rc6
debian/linux<=5.10.223-1, <=5.10.234-1
6.1.129-16.1.135-16.12.25-1
debian/linux-6.1
6.1.129-1~deb11u1
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance - Identity Manager virtual appliance component<=ISVG 10.0.2

Remediation

Patch Available

https://git.kernel.org/stable/c/262dc6ea5f1eb18c4d08ad83d51222d0dd0dd42a

Patch Available

https://git.kernel.org/stable/c/6e046f4937474bc1b9fa980c1ad8f3253fc638f6

Patch Available

https://git.kernel.org/stable/c/7ad3fb3bfd43feb4e15c81dffd23ac4e55742791

Patch Available

https://git.kernel.org/stable/c/bf5f837d9fd27d32fb76df0a108babcaf4446ff1

Patch Available

https://git.kernel.org/stable/c/f30490e9695ef7da3d0899c6a0293cc7cd373567

Event History

Nov 19, 2024
CVE Published
via MITRE·05:45 PM
Data Sourced
via MITRE·05:45 PM
Description
Data Sourced
via Red Hat·06:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·06:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 20, 2025
Data Sourced
via Launchpad·12:51 AM
Description
Apr 29, 2025
Data Sourced
via Ubuntu·01:09 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-53088?

CVE-2024-53088 is classified with a medium severity rating due to a race condition in the i40e driver that can lead to MAC/VLAN filter corruption.

2

How do I fix CVE-2024-53088?

To fix CVE-2024-53088, users should update the Linux kernel to a patched version that resolves the race condition in the i40e driver.

3

Which Linux kernel versions are affected by CVE-2024-53088?

CVE-2024-53088 affects Linux kernel versions from 4.10 to 5.15.172, 5.16 to 6.1.117, 6.2 to 6.6.61, 6.7 to 6.11.8, and specific release candidates 6.12-rc1 to 6.12-rc6.

4

What impact does CVE-2024-53088 have on system security?

The impact of CVE-2024-53088 includes potential information leaks and compromised network integrity due to corrupted MAC/VLAN filters.

5

Is there a workaround for CVE-2024-53088?

Currently, there is no documented workaround for CVE-2024-53088 other than upgrading to a secure version of the Linux kernel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203