Description
In the Linux kernel, the following vulnerability has been resolved:
sch/netem: fix use after free in netem_dequeue
If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")
Commands to trigger KASAN UaF:
ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF
sch/netem: fix use after free in netem_dequeue
If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")
Commands to trigger KASAN UaF:
ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux | unaffected |
|
|||||||||||||||||||||||||||||||||
| Linux | Linux | affected |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat Enterprise Linux 9 | |||
| kernel-0:5.14.0-570.12.1.el9_6 | cpe:/a:redhat:enterprise_linux:9 | RHSA-2025:6966 | 2025-05-13T00:00:00Z |
| kernel-0:5.14.0-570.12.1.el9_6 | cpe:/o:redhat:enterprise_linux:9 | RHSA-2025:6966 | 2025-05-13T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Debian DLA |
DLA-3912-1 | linux security update |
| Debian DLA |
DLA-4008-1 | linux-6.1 security update |
 Debian DSA |
DSA-5782-1 | linux security update |
 Ubuntu USN |
USN-7088-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7088-2 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7088-3 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7088-4 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7088-5 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7100-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7100-2 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7119-1 | Linux kernel (IoT) vulnerabilities |
| Ubuntu USN |
USN-7120-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7120-2 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7120-3 | Linux kernel (Low Latency) vulnerabilities |
| Ubuntu USN |
USN-7121-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7121-2 | Linux kernel (Azure) vulnerabilities |
| Ubuntu USN |
USN-7121-3 | Linux kernel (Oracle) vulnerabilities |
| Ubuntu USN |
USN-7123-1 | Linux kernel (Azure) vulnerabilities |
| Ubuntu USN |
USN-7144-1 | Linux kernel (Intel IoTG) vulnerabilities |
| Ubuntu USN |
USN-7148-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-7156-1 | Linux kernel (GKE) vulnerabilities |
| Ubuntu USN |
USN-7194-1 | Linux kernel (Azure) vulnerabilities |
References
History
Mon, 03 Nov 2025 23:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Tue, 15 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Wed, 14 May 2025 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat
Redhat enterprise Linux |
|
| CPEs | cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9 |
|
| Vendors & Products |
Redhat
Redhat enterprise Linux |
Sun, 29 Sep 2024 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 20 Sep 2024 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Linux
Linux linux Kernel |
|
| Weaknesses | CWE-416 | |
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:* |
|
| Vendors & Products |
Linux
Linux linux Kernel |
|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Wed, 18 Sep 2024 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Wed, 18 Sep 2024 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF | |
| Title | sch/netem: fix use after free in netem_dequeue | |
| References |
|
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-05-11T20:36:47.309Z
Reserved: 2024-09-11T15:12:18.280Z
Link: CVE-2024-46800
Vulnrichment
Updated: 2025-11-03T22:18:43.054Z
NVD
Status : Modified
Published: 2024-09-18T08:15:06.573
Modified: 2025-11-03T23:16:02.670
Link: CVE-2024-46800
Redhat
OpenCVE Enrichment
No data.
Weaknesses