CVE-2024-45016

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.10.6

Description A bug in the netem enqueue() function can lead to a use-after-free issue. This occurs when a packet is duplicated and the original packet is dropped, causing the parent qdisc's q.qlen to be mistakenly incremented. As a result, qlen notify() may be skipped during destruction, leaving a dangling pointer for some classful qdiscs like DRR. The issue arises in two scenarios: when the duplicated packet is dropped by rootq->enqueue() and the original packet is also dropped, or when rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases, NET XMIT SUCCESS is returned even though no packets are enqueued at the netem qdisc.

Recommendations To resolve the issue, upgrade the Linux kernel to a version later than 6.10.6. As a temporary workaround, consider disabling the netem enqueue() function until a patch is available. Restrict access to the vulnerable netem module to minimize the risk of exploitation. Avoid using the rootq->enqueue() function with duplicated packets until the issue is resolved.