CVE-2024-57801
Published: 15 January 2025
Summary
CVE-2024-57801 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2024-57801 is a use-after-free vulnerability (CWE-416) in the Linux kernel's net/mlx5e driver, which handles Mellanox/NVIDIA ConnectX Ethernet functionality. The issue arises during driver unload when unregister_netdev is called after unloading the vport representor (rep). This leads to attempts to access the already-freed mlx5e_rep_priv structure, such as retrieving rpriv->netdev or walking rpriv->tc_ht, while restoring Traffic Control (TC) rules for a vport rep lacking a loaded flag. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation occurs during the driver unload process, potentially allowing arbitrary code execution, data corruption, or system crashes due to the use-after-free, with high impacts on confidentiality, integrity, and availability in the unchanged security scope.
Mitigation involves applying kernel patches from stable repositories, which add checks to skip TC rule restoration for vport reps without the loaded flag, ensuring data access only occurs when the rep is still loaded. Relevant commits include https://git.kernel.org/stable/c/3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0, https://git.kernel.org/stable/c/47c78d3fc26e38ab805613a0f592dc8a820c7c64, and https://git.kernel.org/stable/c/5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53758
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. So, the mlx5e_rep_priv is already freed while trying to…
more
get rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free. So add the checking to make sure access the data of vport rep which is still loaded.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free enabling arbitrary code execution for privilege escalation from low-privileged user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of identified flaws, such as applying kernel patches that fix the use-after-free in the mlx5e driver during vport rep unload.
Implements memory protection mechanisms like ASLR and stack canaries that mitigate exploitation of the use-after-free vulnerability in mlx5e_rep_priv.
Enables vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by CVE-2024-57801 in the net/mlx5e driver.