CVE-2024-35960 Overview
CVE-2024-35960 is a Null Pointer Dereference vulnerability in the Linux kernel's MLX5 network driver flow steering (fs) subsystem. The vulnerability exists in the add_rule_fg function, which fails to properly link newly created flow rules into the tree structure when those rules have a reference count greater than 1. This improper tree linkage results in rules with NULL parent and root pointers, leading to a kernel crash when the flow group is subsequently deleted.
Critical Impact
Attackers can trigger a kernel crash through malformed network flow rule operations, causing system-wide denial of service. The vulnerability allows remote exploitation without authentication, potentially impacting systems using Mellanox ConnectX network adapters with mlx5 drivers.
Affected Products
- Linux Kernel versions prior to patched releases across multiple stable branches
- Linux Kernel 6.9-rc1, 6.9-rc2, and 6.9-rc3
- Debian Linux 10.0
Discovery Timeline
- May 20, 2024 - CVE-2024-35960 published to NVD
- April 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-35960
Vulnerability Analysis
The vulnerability resides in the MLX5 network driver's flow steering implementation, specifically in how new flow rules are integrated into the internal tree data structure. The add_rule_fg function was designed to add newly created rules into the tree only when their reference count equals 1. However, the create_flow_handle function actively searches for and references existing identical rules rather than creating duplicates, which can lead to a race condition scenario.
When create_flow_handle creates a new rule and references it, then subsequently references that same rule again during the same handle creation process, the rule ends up with a reference count of 2. Since add_rule_fg only adds rules with a refcount of 1, this rule is never properly linked into the tree structure. The resulting orphaned rule has NULL node->parent and root pointers.
The crash occurs during flow group deletion when del_sw_hw_rule is invoked. This function assumes that node->parent is non-NULL and attempts to dereference it, triggering a NULL pointer dereference that causes a kernel panic.
Root Cause
The root cause is a logic error in the add_rule_fg function that uses reference count as a proxy for determining whether a rule is "new" and needs to be added to the tree. This assumption breaks down when create_flow_handle references the same rule multiple times during a single handle creation operation. The fundamental issue is the inconsistency between how rules are created and referenced in create_flow_handle versus how they are validated for tree insertion in add_rule_fg.
An additional contributing factor mentioned in the kernel commit is incorrect handling of duplicate pkt_reformat IDs, which can cause create_flow_handle to incorrectly reference a just-added rule within the same flow handle operation.
Attack Vector
The vulnerability can be exploited through network-accessible operations that manipulate flow steering rules on systems with MLX5 network adapters. An attacker can craft specific network flow configurations that trigger the reference count condition, causing rules to be created but not properly linked into the tree. When these flow groups are later deleted through normal operations or by triggering cleanup procedures, the NULL pointer dereference occurs, crashing the kernel.
The attack requires the target system to have an MLX5-based network adapter (such as Mellanox ConnectX series) with the mlx5 driver loaded and actively processing flow steering rules. The exploit leverages the race condition inherent in the flawed rule insertion logic.
Detection Methods for CVE-2024-35960
Indicators of Compromise
- Kernel panic messages referencing del_sw_hw_rule or flow steering operations in MLX5 driver
- System crashes with NULL pointer dereference traces in net/mlx5 kernel module paths
- Unexpected kernel oops events on systems running Mellanox/NVIDIA ConnectX network adapters
Detection Strategies
- Monitor kernel logs for crash traces containing mlx5_core, add_rule_fg, create_flow_handle, or del_sw_hw_rule function names
- Implement kernel crash dump analysis to identify NULL pointer dereference patterns in flow steering code paths
- Deploy system monitoring to detect repeated kernel panics or unexpected reboots on network-heavy workloads
Monitoring Recommendations
- Configure kdump or similar crash dump collection to capture kernel state during crashes for forensic analysis
- Monitor system uptime metrics and correlate sudden reboots with network activity patterns
- Review dmesg and syslog for mlx5 driver error messages or warnings preceding system instability
How to Mitigate CVE-2024-35960
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for CVE-2024-35960
- For systems that cannot be immediately patched, consider limiting access to flow steering configuration interfaces
- Monitor affected systems closely for signs of exploitation or instability
Patch Information
Linux kernel developers have released patches across multiple stable branches to address this vulnerability. The fix modifies add_rule_fg to properly add new rules without parents into the tree structure, ensuring proper initialization regardless of reference count. Multiple commits have been published to address this issue:
- Linux Kernel Commit Fix - commit 1263b0b26077
- Linux Kernel Commit Update - commit 2e8dc5cffc84
- Linux Kernel Commit Patch - commit 5cf5337ef701
- Linux Kernel Commit Revision - commit de0139719cdd
Debian users should refer to the Debian LTS Security Announcements for distribution-specific updates.
Workarounds
- If patching is not immediately possible, reduce exposure by limiting administrative access to systems with MLX5 network adapters
- Consider temporarily disabling or reducing usage of advanced flow steering features if operationally feasible
- Implement network segmentation to reduce attack surface for systems running vulnerable kernel versions
# Check current kernel version and mlx5 driver status
uname -r
lsmod | grep mlx5
# Verify if mlx5 driver is in use
dmesg | grep -i mlx5
# Update kernel on Debian-based systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Reboot to apply new kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
