{"id":"CVE-2024-50036","summary":"net: do not delay dst_entries_add() in dst_release()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n   dst_release_immediate(child), this might also cause UAF\n   if the child does not have DST_NOCOUNT set.\n   IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n   which might happen in future kernels.","modified":"2026-04-16T04:40:16.388375191Z","published":"2024-10-21T19:39:37.135Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:0834-1","SUSE-SU-2025:0847-1","SUSE-SU-2025:0856-1","SUSE-SU-2025:0955-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50036.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50036.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50036"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f88649721268999bdff09777847080a52004f691"},{"fixed":"547087307bc19417b4f2bc85ba9664a3e8db5a6a"},{"fixed":"e3915f028b1f1c37e87542e5aadd33728c259d96"},{"fixed":"a60db84f772fc3a906c6c4072f9207579c41166f"},{"fixed":"eae7435b48ffc8e9be0ff9cfeae40af479a609dd"},{"fixed":"3c7c918ec0aa3555372c5a57f18780b7a96c5cfc"},{"fixed":"ac888d58869bb99753e7652be19a151df9ecb35d"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"86e48c03d774e01ccd71ecba4fc4b5c2bc0b5b41"},{"last_affected":"591b1e1bb40152e22cee757f493046a0ca946bf8"},{"last_affected":"df90819dafcd6b97fc665f63a15752a570e227a2"},{"last_affected":"9a4fe697023dbe6c25caa1f8b2153af869a29bd2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50036.json"}}],"schema_version":"1.7.5"}