8.8
HIGH
CVE-2024-35854
Mellanox Technologies MLXSW Use-After-Free Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30

INFO

Published Date :

May 17, 2024, 3:15 p.m.

Last Modified :

April 7, 2025, 7 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

2.8
Affected Products

The following products are affected by CVE-2024-35854 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
1 Debian debian_linux
: Total Affected Vendor : 2 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-35854.

URL Resource
https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 Patch
https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121 Patch
https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519 Patch
https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887 Patch
https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1 Patch
https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1 Patch
https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388 Patch
https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 Patch
https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121 Patch
https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519 Patch
https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887 Patch
https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1 Patch
https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1 Patch
https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388 Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-35854 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-35854 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Apr. 07, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.30 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.216 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.1 up to (excluding) 5.4.275 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.158 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.90 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.8.9 *cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added Reference Type CVE: https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388 Types: Patch
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List, Third Party Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049
    Added Reference https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121
    Added Reference https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519
    Added Reference https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887
    Added Reference https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1
    Added Reference https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1
    Added Reference https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jul. 03, 2024

    Action Type Old Value New Value
    Added CWE CISA-ADP CWE-416
    Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 17, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
    Added Reference kernel.org https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-35854 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-35854 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
:
© cvefeed.io
Latest DB Update: May. 15, 2025 22:04