CVE-2024-50036 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net: do not delay dst_entries_add() in dst_release()
dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy()
Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy()
dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already.
Decrementing the number of dsts must happen sooner.
Notes:
1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this.
2) There is also discussion about removing this count of dst, which might happen in future kernels.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability described in CVE-2024-50036 represents a race condition within the Linux kernel's networking subsystem that could potentially lead to use-after-free conditions and system instability. This issue specifically affects the handling of destination cache entries in IPv6 routing operations, where the kernel maintains per-cpu data structures that track destination entries for network namespaces. The vulnerability arises from improper synchronization between the destruction of network namespace resources and the continued use of per-cpu counters that may have already been freed during the dismantling process.
The technical flaw occurs when the kernel attempts to clean up network namespace resources through ip6_route_net_exit() function, which calls dst_entries_destroy() to free per-cpu data structures containing destination entry counts. However, during this cleanup process, existing destination entries that are being released through dst_release() calls may still attempt to access these freed data structures through dst_entries_add() operations within dst_destroy(). This creates a classic race condition where the decrementing of destination entry counters happens too late in the process, after the underlying memory structures have already been freed, leading to potential memory corruption and system crashes.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation or denial of service attacks in environments where multiple network namespaces are actively managed. The race condition specifically affects IPv6 routing operations and becomes more pronounced in configurations that utilize IP Security (IPSEC) features, as indicated by the note regarding CONFIG_XFRM case where dst_release_immediate() calls on child entries could trigger use-after-free conditions when the child entries lack the DST_NOCOUNT flag. This vulnerability affects systems running Linux kernel versions where the networking subsystem handles destination cache management and network namespace cleanup operations.
The mitigation strategy for CVE-2024-50036 involves ensuring proper ordering of operations during network namespace cleanup, specifically by decrementing destination entry counts before the per-cpu data structures are freed rather than after. System administrators should prioritize applying the latest kernel patches that address this race condition, particularly in environments running IPv6 networking stacks with active network namespace management. The vulnerability aligns with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and could potentially map to ATT&CK technique T1059.003 (Command and Scripting Interpreter: Windows Command Shell) if exploited through system compromise, though the primary attack surface remains kernel-level memory corruption. Additionally, the vulnerability demonstrates characteristics consistent with CWE-416 (Use After Free) and CWE-367 (Time-of-Check to Time-of-Use), as the race condition allows for access to freed memory structures after they have been marked for deallocation. Given the nature of this vulnerability, it represents a critical security concern for enterprise environments relying on Linux kernel networking functionality and network namespace isolation features.