{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-46800","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-09-11T15:12:18.280Z","datePublished":"2024-09-18T07:12:54.330Z","dateUpdated":"2025-11-03T22:18:43.054Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:34:37.304Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch/netem: fix use after free in netem_dequeue\n\nIf netem_dequeue() enqueues packet to inner qdisc and that qdisc\nreturns __NET_XMIT_STOLEN. The packet is dropped but\nqdisc_tree_reduce_backlog() is not called to update the parent's\nq.qlen, leading to the similar use-after-free as Commit\ne04991a48dbaf382 (\"netem: fix return value if duplicate enqueue\nfails\")\n\nCommands to trigger KASAN UaF:\n\nip link add type dummy\nip link set lo up\nip link set dummy0 up\ntc qdisc add dev lo parent root handle 1: drr\ntc filter add dev lo parent 1: basic classid 1:1\ntc class add dev lo classid 1:1 drr\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2: handle 3: drr\ntc filter add dev lo parent 3: basic classid 3:1 action mirred egress\nredirect dev dummy0\ntc class add dev lo classid 3:1 drr\nping -c1 -W0.01 localhost # Trigger bug\ntc class del dev lo classid 1:1\ntc class add dev lo classid 1:1 drr\nping -c1 -W0.01 localhost # UaF"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_netem.c"],"versions":[{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"f0bddb4de043399f16d1969dad5ee5b984a64e7b","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"295ad5afd9efc5f67b86c64fce28fb94e26dc4c9","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"98c75d76187944296068d685dfd8a1e9fd8c4fdc","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"14f91ab8d391f249b845916820a56f42cf747241","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"db2c235682913a63054e741fe4e19645fdf2d68e","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"dde33a9d0b80aae0c69594d1f462515d7ff1cb3d","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"32008ab989ddcff1a485fa2b4906234c25dc5cd6","status":"affected","versionType":"git"},{"version":"50612537e9ab29693122fab20fc1eed235054ffe","lessThan":"3b3a2a9c6349e25a025d2330f479bc33a6ccb54a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_netem.c"],"versions":[{"version":"3.3","status":"affected"},{"version":"0","lessThan":"3.3","status":"unaffected","versionType":"semver"},{"version":"4.19.322","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.284","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.226","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.167","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.110","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.51","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.10.10","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"4.19.322"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"5.4.284"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"5.10.226"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"5.15.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.1.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.6.51"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.10.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f0bddb4de043399f16d1969dad5ee5b984a64e7b"},{"url":"https://git.kernel.org/stable/c/295ad5afd9efc5f67b86c64fce28fb94e26dc4c9"},{"url":"https://git.kernel.org/stable/c/98c75d76187944296068d685dfd8a1e9fd8c4fdc"},{"url":"https://git.kernel.org/stable/c/14f91ab8d391f249b845916820a56f42cf747241"},{"url":"https://git.kernel.org/stable/c/db2c235682913a63054e741fe4e19645fdf2d68e"},{"url":"https://git.kernel.org/stable/c/dde33a9d0b80aae0c69594d1f462515d7ff1cb3d"},{"url":"https://git.kernel.org/stable/c/32008ab989ddcff1a485fa2b4906234c25dc5cd6"},{"url":"https://git.kernel.org/stable/c/3b3a2a9c6349e25a025d2330f479bc33a6ccb54a"}],"title":"sch/netem: fix use after free in netem_dequeue","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-29T14:21:46.451136Z","id":"CVE-2024-46800","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-29T14:21:58.260Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:18:43.054Z"}}]}}