ghsa-5v92-qmvx-fgv4
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
net: do not delay dst_entries_add() in dst_release()
dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy()
Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy()
dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already.
Decrementing the number of dsts must happen sooner.
Notes:
1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this.
2) There is also discussion about removing this count of dst, which might happen in future kernels.
{
"affected": [],
"aliases": [
"CVE-2024-50036"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:16Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n dst_release_immediate(child), this might also cause UAF\n if the child does not have DST_NOCOUNT set.\n IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n which might happen in future kernels.",
"id": "GHSA-5v92-qmvx-fgv4",
"modified": "2025-11-04T00:31:45Z",
"published": "2024-10-21T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50036"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.