CVE-2024-49953 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
The km.state is not checked in driver's delayed work. When xfrm_state_check_expire() is called, the state can be reset to XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This happens when xfrm state is deleted, but not freed yet. As __xfrm_state_delete() is called again in xfrm timer, the following crash occurs.
To fix this issue, skip xfrm_state_check_expire() if km.state is not XFRM_STATE_VALID.
Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]
RIP: 0010:__xfrm_state_delete+0x3d/0x1b0 Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48 RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246 RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036 RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980 RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246 R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400 FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? die_addr+0x33/0x90 ? exc_general_protection+0x1a2/0x390 ? asm_exc_general_protection+0x22/0x30 ? __xfrm_state_delete+0x3d/0x1b0 ? __xfrm_state_delete+0x2f/0x1b0 xfrm_timer_handler+0x174/0x350 ? __xfrm_state_delete+0x1b0/0x1b0 __hrtimer_run_queues+0x121/0x270 hrtimer_run_softirq+0x88/0xd0 handle_softirqs+0xcc/0x270 do_softirq+0x3c/0x50 __local_bh_enable_ip+0x47/0x50 mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]
process_one_work+0x137/0x2d0 worker_thread+0x28d/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability described in CVE-2024-49953 affects the Linux kernel's mlx5e network driver, specifically within the implementation of IPsec security features. This issue arises from a double deletion scenario involving the xfrm state management system, which can lead to a kernel crash due to memory corruption. The root cause lies in the driver's delayed work execution context where the kernel state is not properly validated before invoking cleanup operations. When xfrm_state_check_expire() is executed, it can transition a state from XFRM_STATE_DEAD to XFRM_STATE_EXPIRED, even though the state should already be considered finalized. This condition creates a race where __xfrm_state_delete() gets called twice on the same state object, resulting in a general protection fault and system instability.
The technical flaw manifests in the mlx5e IPsec subsystem where delayed work processing does not adequately check the kernel state before proceeding with state deletion operations. The xfrm timer handler component, which is part of the standard Linux IPsec implementation, calls xfrm_state_check_expire() which can reset the state even when it has already been marked as dead. This behavior violates fundamental state management principles and creates a scenario where memory that has already been freed or is in an inconsistent state gets accessed again. The crash occurs because the second call to __xfrm_state_delete() attempts to operate on memory that has already been deallocated, leading to a kernel panic and system crash.
This vulnerability presents a significant operational impact for systems utilizing Mellanox mlx5 network adapters with IPsec functionality, particularly in enterprise environments where network security and reliability are paramount. The crash can occur during routine IPsec state management operations, potentially disrupting network connectivity and service availability. The vulnerability is classified under CWE-129 as an "Improper Validation of Array Index" and more specifically relates to CWE-362 as a "Concurrent Execution using Shared Resource with Improper Synchronization." The issue directly impacts the kernel's security and stability, as it can be exploited to cause denial of service through kernel crashes, potentially affecting network infrastructure and security services that rely on IPsec encryption.
The fix implemented addresses this by adding a validation check that skips xfrm_state_check_expire() when the kernel state is not XFRM_STATE_VALID, effectively preventing the double deletion scenario. This mitigation aligns with ATT&CK technique T1499.004 which covers "Network Denial of Service" and represents a defensive measure against improper state handling in kernel modules. The solution ensures that the xfrm state management system properly respects state transitions and prevents operations on already finalized state objects. Organizations should prioritize applying this patch as it resolves a critical stability issue in the kernel's IPsec implementation, particularly for systems running kernel versions that include the mlx5e driver with IPsec support. The fix demonstrates proper defensive programming practices by ensuring state consistency and preventing race conditions in kernel-level security implementations.