CVE-2024-42108 in Linuxinfo

Summary

by MITRE • 07/30/2024

In the Linux kernel, the following vulnerability has been resolved:

net: rswitch: Avoid use-after-free in rswitch_poll()

The use-after-free is actually in rswitch_tx_free(), which is inlined in rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the
same pointer, the skb is first freed using dev_kfree_skb_any(), then the value in skb->len is used to update the interface statistics.

Let's move around the instructions to use skb->len before the skb is freed.

This bug is trivial to reproduce using KFENCE. It will trigger a splat every few packets. A simple ARP request or ICMP echo request is enough.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/19/2025

The vulnerability described in CVE-2024-42108 represents a critical use-after-free condition within the Linux kernel's rswitch network driver implementation. This flaw exists in the network subsystem specifically within the rswitch_poll() function where it interacts with the rswitch_tx_free() function that has been inlined into the polling routine. The issue manifests when processing network packets through the rswitch driver, creating a scenario where memory corruption can occur during packet transmission handling. The vulnerability stems from improper ordering of operations where a socket buffer pointer is freed before its associated metadata is accessed, creating an exploitable condition that can lead to system instability or potential privilege escalation.

The technical root cause of this vulnerability aligns with CWE-416, which specifically addresses use-after-free errors in software systems. The flaw occurs because the rswitch_tx_free() function, which is inlined into rswitch_poll(), first calls dev_kfree_skb_any() to release the memory associated with a socket buffer structure, but subsequently accesses the skb->len field to update network interface statistics. This sequence creates a classic use-after-free scenario where memory that has been freed is still being referenced. The vulnerability is particularly concerning because it operates within kernel space where such memory corruption can lead to arbitrary code execution or system crashes. The specific memory layout shows that both the skb pointer and gq->skbs[gq->dirty] reference the same memory location, making the freed memory accessible through multiple pathways.

The operational impact of this vulnerability extends beyond simple system instability, as it creates conditions that can be exploited by malicious actors to compromise system integrity. The vulnerability is easily reproducible using KFENCE, a kernel memory debugging tool that specifically identifies such use-after-free conditions, indicating that the flaw is not theoretical but has been validated in testing environments. Network traffic involving simple ARP requests or ICMP echo requests is sufficient to trigger the bug, making it particularly dangerous as it can be exploited through normal network operations. The frequency of occurrence, with system messages (splat) appearing every few packets, suggests that this vulnerability can cause significant disruption to network services and potentially provide a foothold for more sophisticated attacks. The rswitch driver, which handles network packet switching operations, becomes a potential attack vector for privilege escalation or denial-of-service conditions.

Mitigation strategies for CVE-2024-42108 should focus on immediate kernel updates from vendors who have patched this specific use-after-free condition. System administrators should prioritize applying the latest security patches that reorder the memory operations to access skb->len before calling dev_kfree_skb_any(). The fix involves restructuring the code flow to ensure that all necessary metadata is extracted from freed memory structures before the actual memory deallocation occurs. Additionally, monitoring systems should be enhanced to detect unusual patterns in network interface statistics that might indicate exploitation attempts. Organizations should implement network segmentation and access controls to limit potential attack vectors, while also maintaining regular kernel security audits to identify similar vulnerabilities in other network drivers. The patch implementation should be validated through comprehensive testing to ensure that the reordering of operations does not introduce performance regressions or new stability issues in the network subsystem.

Responsible

Linux

Reservation

07/29/2024

Disclosure

07/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00232

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!