CVE-2024-50039 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net/sched: accept TCA_STAB only for root qdisc
Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers.
Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1]
We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage.
[1]
[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 88.798611] #PF: supervisor read access in kernel mode
[ 88.799014] #PF: error_code(0x0000) - not-present page
[ 88.799506] PGD 0 P4D 0
[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
All code ======== 0: 0f b7 50 12 movzwl 0x12(%rax),%edx 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax b: 00 c: 48 89 d6 mov %rdx,%rsi f: 48 29 d0 sub %rdx,%rax 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx 19: 48 c1 e0 03 shl $0x3,%rax 1d: 48 01 c2 add %rax,%rdx 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) 25: 7e c0 jle 0xffffffffffffffe7 27: 48 8b 3a mov (%rdx),%rdi 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction 2d: 4c 89 02 mov %r8,(%rdx) 30: 49 89 50 08 mov %rdx,0x8(%r8) 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 3b: 00 3c: 48 rex.W 3d: c7 .byte 0xc7 3e: 07 (bad) ...
Code starting with the faulting instruction =========================================== 0: 4c 8b 07 mov (%rdi),%r8 3: 4c 89 02 mov %r8,(%rdx) 6: 49 89 50 08 mov %rdx,0x8(%r8) a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 11: 00 12: 48 rex.W 13: c7 .byte 0xc7 14: 07 (bad) ... [ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
[ 88.808165] Call Trace:
[ 88.808459]
[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)
[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq
[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g
---truncated---
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability CVE-2024-50039 is a critical flaw in the Linux kernel networking subsystem that affects how traffic control (qdisc) parameters are handled. This issue specifically involves the TCA_STAB parameter, which is used to configure statistical tracking for network traffic scheduling. The vulnerability arises from an improper handling of TCA_STAB configuration when applied to non-root qdiscs, leading to potential kernel crashes and system instability. The flaw manifests when a combination of TBF (Token Bucket Filter) and SFQ (Stochastic Fairness Queueing) qdiscs is configured with an STAB parameter on the SFQ component, causing a NULL pointer dereference during packet dequeue operations.
The technical root cause of this vulnerability lies in the kernel's network scheduler implementation where TCA_STAB parameters are not properly restricted to root qdiscs. According to the kernel's design, most qdiscs rely on qdisc_pkt_len(skb) to maintain consistent packet backlog tracking between enqueue and dequeue operations. However, when TCA_STAB is applied at non-root levels, the kernel's existing data structures and memory management assumptions break down, resulting in invalid memory access patterns. The crash occurs in the sfq_dequeue function where a null pointer dereference happens at instruction 2a in the assembly code, specifically when attempting to read from memory address zero. This represents a classic null pointer dereference vulnerability that can be exploited to cause a kernel oops and system crash, as demonstrated by the kernel log showing the exact faulting instruction and memory access violation.
The operational impact of this vulnerability is severe as it allows for arbitrary system crashes through carefully crafted network traffic configurations. Attackers can leverage this flaw to perform denial-of-service attacks against systems running affected Linux kernels, potentially causing complete system instability. The vulnerability is particularly concerning in environments where network traffic shaping is extensively used, such as in data centers, network infrastructure devices, or any system that employs complex qdisc configurations. From an ATT&CK perspective, this vulnerability maps to T1499.004 (Endpoint Denial of Service) and T1595.001 (Network Denial of Service), as it enables adversaries to disrupt network services and system availability. The flaw also aligns with CWE-476 (NULL Pointer Dereference) and CWE-121 (Stack-based Buffer Overflow) in the Common Weakness Enumeration catalog, highlighting the fundamental nature of the memory management error.
Mitigation strategies for this vulnerability include immediate kernel updates to versions that have patched the issue by restricting TCA_STAB parameters to root qdiscs only, preventing their application at arbitrary qdisc levels. System administrators should also implement network traffic monitoring to detect unusual qdisc configurations and apply defensive measures such as restricting network configuration capabilities for untrusted users or processes. The patch ensures that TCA_STAB is only accepted when applied to root qdiscs, eliminating the need for per-qdisc storage and maintaining kernel stability. Organizations should prioritize patching systems running affected kernel versions and consider implementing network access controls to limit exposure to malicious qdisc configurations. Additionally, regular security audits of network configurations and qdisc parameter usage can help identify and remediate potential instances of this vulnerability before exploitation occurs.