CVE-2024-42291 in Linux
Summary
by MITRE • 08/17/2024
In the Linux kernel, the following vulnerability has been resolved:
ice: Add a per-VF limit on number of FDIR filters
While the iavf driver adds a s/w limit (128) on the number of FDIR filters that the VF can request, a malicious VF driver can request more than that and exhaust the resources for other VFs.
Add a similar limit in ice.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/16/2026
The vulnerability CVE-2024-42291 addresses a critical resource management issue within the Linux kernel's networking subsystem, specifically affecting the ice driver used for Intel Ethernet network adapters. This flaw exists in the implementation of Flexible Direct Rules (FDIR) filtering capabilities that enable virtual functions to define packet filtering rules for network traffic. The vulnerability stems from inadequate enforcement of resource limits at the virtual function level, creating a potential denial of service scenario that could compromise the entire virtualized network environment.
The technical flaw manifests in the ice driver's failure to implement proper per-virtual function limits on FDIR filter allocation, unlike the iavf driver which already enforces a software limit of 128 filters per virtual function. When a malicious virtual function driver requests more than the established limit, it can consume excessive system resources and starve other virtual functions of their necessary filtering capabilities. This resource exhaustion occurs because the ice driver lacks the protective mechanism that prevents any single virtual function from monopolizing the finite FDIR filter resources available on the physical network adapter.
The operational impact of this vulnerability extends beyond simple resource consumption, as it represents a serious security concern within virtualized environments where multiple tenants share the same physical hardware. Attackers could exploit this weakness to launch denial of service attacks against other virtual functions on the same physical adapter, effectively disrupting network communications for legitimate users. The vulnerability particularly affects data center and cloud computing environments where network virtualization is prevalent, potentially allowing malicious actors to degrade network performance or completely block communication channels for other virtual machines or containers sharing the same physical infrastructure.
Mitigation strategies should focus on implementing proper per-VF resource limits within the ice driver, aligning the implementation with the existing protective measures already present in the iavf driver. System administrators should ensure that all affected systems are updated with patches that enforce the 128 filter limit per virtual function, preventing any single virtual function from exhausting the shared FDIR filter resources. This remediation approach aligns with security best practices outlined in the Common Weakness Enumeration framework under CWE-400, which categorizes resource exhaustion vulnerabilities as critical security concerns requiring proper bounds checking and resource limiting mechanisms. The implementation should also consider monitoring and logging capabilities to detect anomalous FDIR filter allocation patterns that might indicate exploitation attempts, following ATT&CK framework techniques for defensive measures against resource exhaustion attacks.