CVE-2024-50262

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.61

Description The issue is related to an out-of-bounds write in the trie get next key() function in the Linux kernel's bpf module. This occurs when the function allocates a node stack with size trie->max prefixlen but writes (trie->max prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, in a trie with max prefixlen set to 8 and nodes with keys 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted, subsequent calls to trie get next key() with a key having .prefixlen = 8 can cause 9 nodes to be written on the node stack with size 8. This can potentially impact the confidentiality, integrity, and availability of protected information.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.61 or later. As a temporary workaround, consider restricting the use of the trie get next key() function until a patch is available. Avoid using the trie get next key() function with keys that have a .prefixlen equal to trie->max prefixlen to minimize the risk of exploitation.