{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-50126", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T19:36:19.954Z", "datePublished": "2024-11-05T17:10:53.741Z", "dateUpdated": "2025-11-03T22:25:47.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:46:38.705Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_taprio.c"], "versions": [{"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39", "lessThan": "b911fa9e92ee586e36479ad57b88f20471acaca1", "status": "affected", "versionType": "git"}, {"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39", "lessThan": "5d282467245f267c0b9ada3f7f309ff838521536", "status": "affected", "versionType": "git"}, {"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39", "lessThan": "e4369cb6acf6b895ac2453cc1cdf2f4326122c6d", "status": "affected", "versionType": "git"}, {"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39", "lessThan": "b22db8b8befe90b61c98626ca1a2fbb0505e9fe3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_taprio.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.117", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.59", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.6", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.117"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.6.59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.11.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"}, {"url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"}, {"url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"}, {"url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"}], "title": "net: sched: use RCU read-side critical section in taprio_dump()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-50126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-11T14:28:25.069183Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-11T14:58:33.520Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:25:47.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-50126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-11T14:28:25.069183Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-11T14:28:26.361Z"}}], "cna": {"title": "net: sched: use RCU read-side critical section in taprio_dump()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "18cdd2f0998a", "lessThan": "b911fa9e92ee", "versionType": "git"}, {"status": "affected", "version": "18cdd2f0998a", "lessThan": "5d282467245f", "versionType": "git"}, {"status": "affected", "version": "18cdd2f0998a", "lessThan": "e4369cb6acf6", "versionType": "git"}, {"status": "affected", "version": "18cdd2f0998a", "lessThan": "b22db8b8befe", "versionType": "git"}], "programFiles": ["net/sched/sch_taprio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1"}, {"status": "unaffected", "version": "0", "lessThan": "6.1", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.117", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.59", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.11.6", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/sched/sch_taprio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"}, {"url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"}, {"url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"}, {"url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"}], "x_generator": {"engine": "bippy-8e903de6a542"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-19T01:17:19.379Z"}}}, "cveMetadata": {"cveId": "CVE-2024-50126", "state": "PUBLISHED", "dateUpdated": "2024-12-11T14:58:33.520Z", "dateReserved": "2024-10-21T19:36:19.954Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-11-05T17:10:53.741Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "73E6DF5B-2C48-44A0-904B-A1EC3684F9D1", "versionEndExcluding": "6.6.59", "versionStartIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4486B12-007B-4794-9857-F07145637AA1", "versionEndExcluding": "6.11.6", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: sched: usar la secci\u00f3n cr\u00edtica del lado de lectura de RCU en taprio_dump(). Corrija el posible use-after-free en 'taprio_dump()' agregando all\u00ed la secci\u00f3n cr\u00edtica del lado de lectura de RCU. Nunca visto en x86 pero encontrado en un sistema arm64 habilitado para KASAN al investigar https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] ERROR: KASAN: slab-use-after-free en taprio_dump+0xa0c/0xbb0 [T15862] Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff0000d4bb88f8 por la tarea repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro No contaminado 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Nombre del hardware: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 24/05/2024 [T15862] Seguimiento de llamadas: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] El comando tc_fill_qdisc_notify.isra.0_0x330_0x3a0_tc_modify_qdisc_0x7b8_0x1838_rtnetlink_rcv_msg_0x3c8_0xc20_netlink_rcv_skb_0x1f8_0x3d4_rtnetlink_rcv_0x28_0x40_netlink_unicast_0x51c_0x790_netlink_sendmsg_0x79c_0xc20_tc_sendmsg_0x1a ... [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Asignado por la tarea 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Liberado por la tarea 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20"}], "id": "CVE-2024-50126", "lastModified": "2025-11-03T23:16:52.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-05T18:15:15.607", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:6966", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.12.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:6966", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.12.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "kernel: net: sched: use RCU read-side critical section in taprio_dump()", "id": "2323924", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2323924"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: sched: use RCU read-side critical section in taprio_dump()\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20", "A use-after-free vulnerability was found in the taprio_dump() function in the Linux kernel."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-50126", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-50126\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50126\nhttps://lore.kernel.org/linux-cve-announce/2024110557-CVE-2024-50126-733b@gregkh/T"], "threat_severity": "Moderate"}

{}