CVE-2024-35958 in Linux
Summary
by MITRE • 05/20/2024
In the Linux kernel, the following vulnerability has been resolved:
net: ena: Fix incorrect descriptor free behavior
ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions
The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue.
This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability CVE-2024-35958 represents a critical flaw in the Linux kernel's Elastic Network Adapter (ENA) driver implementation that affects network virtualization environments. This issue specifically targets the ena_free_tx_bufs() function which handles the cleanup of transmit buffer descriptors in the ENA network driver. The vulnerability arises from an incorrect assumption about descriptor handling behavior within different types of transmit queues, creating a potential for system instability and crashes during normal network operations or more specifically during virtual function reset scenarios.
The ENA driver implements two distinct types of transmit queues to handle different packet processing paths within the network stack. The first category processes packets originating from the standard network stack, while the second category handles packets forwarded through XDP_REDIRECT or XDP_TX instructions, which are part of the eXpress Data Path framework designed for high-performance packet processing. The flaw occurs because the ena_free_tx_bufs() function makes incorrect assumptions about queue type when processing descriptor cleanup, leading to improper handling of memory management operations.
This technical issue stems from the function's incorrect use of napi_consume_skb() for descriptors belonging to XDP-specific queues, which are not designed to be processed using the standard network stack consumption mechanism. The mismatch between expected and actual descriptor handling creates a memory management inconsistency that can result in double-free conditions or memory corruption when the driver attempts to free descriptors during queue cleanup operations. The vulnerability becomes particularly dangerous during virtual function resets, where the descriptor cleanup process fails to properly release memory resources, leading to system crashes or kernel panics.
The operational impact of this vulnerability extends beyond simple system instability, as it affects the reliability of virtualized network environments that depend on ENA drivers for high-performance networking. Network virtualization platforms, cloud computing environments, and containerized applications using XDP processing are particularly at risk, as the vulnerability can cause unexpected service disruptions and data loss during normal network operations or when handling network traffic spikes. The flaw affects systems running Linux kernel versions that include the vulnerable ENA driver implementation, potentially impacting enterprise data centers and cloud infrastructure deployments.
Security implications of this vulnerability align with CWE-415, which addresses double free conditions in memory management, and CWE-476, which covers null pointer dereferences. The attack surface is primarily through network traffic processing, making it relevant to ATT&CK technique T1059.007 for execution through command and scripting interpreter, though the actual exploitation would likely occur through network packet processing rather than direct command execution. The vulnerability demonstrates a classic memory management error where improper handling of different queue types leads to resource exhaustion and system instability, making it a significant concern for network security and system reliability in virtualized environments. Organizations should prioritize patching this vulnerability to prevent potential denial of service conditions and maintain the integrity of their network infrastructure.