PT-2024-33926 · Linux+2 · Linux Kernel+2
Yury Vostrikov
·
Published
2024-10-02
·
Updated
2025-02-28
·
CVE-2024-50094
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Linux kernel versions prior to 6.11.3
Description:
A crash in the sfc driver has been reported, originating from netpoll send udp(). The netconsole sends a message, and then netpoll invokes the driver's NAPI function with a budget of zero, which is dedicated to allow the driver to free TX resources. However, in the netpoll case, the driver invokes
xdp do flush() unconditionally, leading to a crash because bpf net context was never assigned. This issue can be exploited to cause a denial of service via sfc xdp do flush.Recommendations:
For Linux kernel versions prior to 6.11.3, upgrade the kernel immediately to mitigate the risk of system unavailability. As a temporary workaround, consider restricting the use of the
xdp do flush() function in the sfc driver until a patch is available.Exploit
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Linux Kernel
Ubuntu