{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-50126","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T19:36:19.954Z","datePublished":"2024-11-05T17:10:53.741Z","dateUpdated":"2025-11-03T22:25:47.069Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:46:38.705Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862]  dump_backtrace+0x20c/0x220\n[T15862]  show_stack+0x2c/0x40\n[T15862]  dump_stack_lvl+0xf8/0x174\n[T15862]  print_report+0x170/0x4d8\n[T15862]  kasan_report+0xb8/0x1d4\n[T15862]  __asan_report_load4_noabort+0x20/0x2c\n[T15862]  taprio_dump+0xa0c/0xbb0\n[T15862]  tc_fill_qdisc+0x540/0x1020\n[T15862]  qdisc_notify.isra.0+0x330/0x3a0\n[T15862]  tc_modify_qdisc+0x7b8/0x1838\n[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862]  netlink_rcv_skb+0x1f8/0x3d4\n[T15862]  rtnetlink_rcv+0x28/0x40\n[T15862]  netlink_unicast+0x51c/0x790\n[T15862]  netlink_sendmsg+0x79c/0xc20\n[T15862]  __sock_sendmsg+0xe0/0x1a0\n[T15862]  ____sys_sendmsg+0x6c0/0x840\n[T15862]  ___sys_sendmsg+0x1ac/0x1f0\n[T15862]  __sys_sendmsg+0x110/0x1d0\n[T15862]  __arm64_sys_sendmsg+0x74/0xb0\n[T15862]  invoke_syscall+0x88/0x2e0\n[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862]  do_el0_svc+0x44/0x60\n[T15862]  el0_svc+0x50/0x184\n[T15862]  el0t_64_sync_handler+0x120/0x12c\n[T15862]  el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862]  kasan_save_stack+0x3c/0x70\n[T15862]  kasan_save_track+0x20/0x3c\n[T15862]  kasan_save_alloc_info+0x40/0x60\n[T15862]  __kasan_kmalloc+0xd4/0xe0\n[T15862]  __kmalloc_cache_noprof+0x194/0x334\n[T15862]  taprio_change+0x45c/0x2fe0\n[T15862]  tc_modify_qdisc+0x6a8/0x1838\n[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862]  netlink_rcv_skb+0x1f8/0x3d4\n[T15862]  rtnetlink_rcv+0x28/0x40\n[T15862]  netlink_unicast+0x51c/0x790\n[T15862]  netlink_sendmsg+0x79c/0xc20\n[T15862]  __sock_sendmsg+0xe0/0x1a0\n[T15862]  ____sys_sendmsg+0x6c0/0x840\n[T15862]  ___sys_sendmsg+0x1ac/0x1f0\n[T15862]  __sys_sendmsg+0x110/0x1d0\n[T15862]  __arm64_sys_sendmsg+0x74/0xb0\n[T15862]  invoke_syscall+0x88/0x2e0\n[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862]  do_el0_svc+0x44/0x60\n[T15862]  el0_svc+0x50/0x184\n[T15862]  el0t_64_sync_handler+0x120/0x12c\n[T15862]  el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862]  kasan_save_stack+0x3c/0x70\n[T15862]  kasan_save_track+0x20/0x3c\n[T15862]  kasan_save_free_info+0x4c/0x80\n[T15862]  poison_slab_object+0x110/0x160\n[T15862]  __kasan_slab_free+0x3c/0x74\n[T15862]  kfree+0x134/0x3c0\n[T15862]  taprio_free_sched_cb+0x18c/0x220\n[T15862]  rcu_core+0x920/0x1b7c\n[T15862]  rcu_core_si+0x10/0x1c\n[T15862]  handle_softirqs+0x2e8/0xd64\n[T15862]  __do_softirq+0x14/0x20"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_taprio.c"],"versions":[{"version":"18cdd2f0998a4967b1fff4c43ed9aef049e42c39","lessThan":"b911fa9e92ee586e36479ad57b88f20471acaca1","status":"affected","versionType":"git"},{"version":"18cdd2f0998a4967b1fff4c43ed9aef049e42c39","lessThan":"5d282467245f267c0b9ada3f7f309ff838521536","status":"affected","versionType":"git"},{"version":"18cdd2f0998a4967b1fff4c43ed9aef049e42c39","lessThan":"e4369cb6acf6b895ac2453cc1cdf2f4326122c6d","status":"affected","versionType":"git"},{"version":"18cdd2f0998a4967b1fff4c43ed9aef049e42c39","lessThan":"b22db8b8befe90b61c98626ca1a2fbb0505e9fe3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_taprio.c"],"versions":[{"version":"6.1","status":"affected"},{"version":"0","lessThan":"6.1","status":"unaffected","versionType":"semver"},{"version":"6.1.117","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.59","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.11.6","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.6.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.11.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"},{"url":"https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"},{"url":"https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"},{"url":"https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"}],"title":"net: sched: use RCU read-side critical section in taprio_dump()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-50126","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-12-11T14:28:25.069183Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-11T14:58:33.520Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:25:47.069Z"}}]}}