CVE-2024-50130
- Source
- https://cve.org/CVERecord?id=CVE-2024-50130
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50130.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50130
- Downstream
- Related
- Published
- 2024-11-05T17:10:56.344Z
- Modified
- 2026-03-11T07:51:06.595151460Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- netfilter: bpf: must hold reference on net namespace
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: must hold reference on net namespace
BUG: KASAN: slab-use-after-free in __nfunregisternethook+0x640/0x6b0 Read of size 8 at addr ffff8880106fe400 by task repro/72= bpfnflinkrelease+0xda/0x1e0 bpflinkfree+0x139/0x2d0 bpflinkrelease+0x68/0x80 __fput+0x414/0xb60
Eric says: It seems that bpf was able to defer the __nfunregisternethook() after exit()/close() time. Perhaps a netns reference is missing, because the netns has been dismantled/freed already. bpfnflinkattach() does : link->net = net; But I do not see a reference being taken on net.
Add such a reference and release it after hook unreg. Note that I was unable to get syzbot reproducer to work, so I do not know if this resolves this splat.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50130.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1230fe7ad3974f7bf6c78901473e039b34d4fb1f
- https://git.kernel.org/stable/c/d0d7939543a1b3bb93af9a18d258a774daf8f162
- https://git.kernel.org/stable/c/f41bd93b3e0508edc7ba820357f949071dcc0acc
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50130.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-50130