CVE-2024-46800 Overview
CVE-2024-46800 is a use-after-free vulnerability in the Linux kernel's network emulator (netem) queueing discipline. The vulnerability exists in the netem_dequeue() function, where improper handling of packets enqueued to an inner qdisc can lead to memory corruption when the inner qdisc returns __NET_XMIT_STOLEN. When this occurs, the packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, resulting in a use-after-free condition that can be detected by KASAN (Kernel Address Sanitizer).
Critical Impact
This use-after-free vulnerability in the Linux kernel networking subsystem could allow a local attacker with low privileges to potentially achieve code execution, information disclosure, or denial of service by exploiting memory corruption in the qdisc (queueing discipline) component.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.11 RC1 through RC6
- Multiple stable kernel branches (see vendor commits for specific version ranges)
Discovery Timeline
- September 18, 2024 - CVE-2024-46800 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-46800
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free) and affects the network traffic control subsystem of the Linux kernel, specifically the netem (network emulator) module. The netem qdisc is commonly used for network testing and simulation by introducing delays, packet loss, and other network conditions.
The vulnerability is similar to a previously fixed issue referenced in commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails"). When netem_dequeue() enqueues a packet to an inner qdisc and that qdisc returns __NET_XMIT_STOLEN, the packet is considered dropped. However, the code fails to call qdisc_tree_reduce_backlog() to properly update the parent queue's length counter (q.qlen). This inconsistency between the actual queue state and the tracked queue length creates a use-after-free condition where freed memory may be subsequently accessed.
Root Cause
The root cause is a missing call to qdisc_tree_reduce_backlog() in the netem_dequeue() function when handling the __NET_XMIT_STOLEN return value from an inner qdisc. When a packet is stolen (consumed) by the inner qdisc but the parent's backlog counter is not decremented, the kernel maintains a stale reference that can lead to accessing freed memory during subsequent operations on the qdisc hierarchy.
Attack Vector
The vulnerability requires local access and can be triggered through specific traffic control (tc) configurations. An attacker with the ability to configure network qdiscs can create a chain of qdiscs involving netem with mirred egress redirect actions that trigger the vulnerable code path.
The vulnerability can be triggered using the following sequence of traffic control commands and network operations:
# Commands to trigger the use-after-free (from CVE description)
ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF occurs here
Detection Methods for CVE-2024-46800
Indicators of Compromise
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in netem-related functions
- Kernel oops or panic messages referencing netem_dequeue or related qdisc functions
- Unexpected system crashes when complex qdisc configurations involving netem are in use
Detection Strategies
- Enable KASAN in development and testing kernels to detect memory corruption issues
- Monitor kernel logs for warnings or errors related to the netem module (sch_netem)
- Audit systems for complex traffic control configurations that chain netem with redirect actions
- Use kernel tracing (ftrace) to monitor netem_dequeue() and related qdisc functions
Monitoring Recommendations
- Implement syslog monitoring for kernel memory corruption warnings and KASAN reports
- Review traffic control configurations on systems where untrusted users may have CAP_NET_ADMIN capabilities
- Monitor for unusual tc command executions that create complex qdisc hierarchies
- Consider restricting tc command access to trusted administrators only
How to Mitigate CVE-2024-46800
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix
- Restrict access to traffic control (tc) commands and CAP_NET_ADMIN capability
- Review and simplify any existing complex qdisc configurations involving netem
- Monitor systems for signs of exploitation attempts
Patch Information
Multiple kernel stable branches have received patches for this vulnerability. The fix ensures that qdisc_tree_reduce_backlog() is properly called when packets are stolen by inner qdiscs, maintaining consistent queue state. Apply the appropriate patch for your kernel version:
- Kernel Commit 14f91ab
- Kernel Commit 295ad5a
- Kernel Commit 32008ab
- Kernel Commit 3b3a2a9
- Kernel Commit 98c75d7
- Kernel Commit db2c235
- Kernel Commit dde33a9
- Kernel Commit f0bddb4
Debian users should refer to the Debian LTS Announcement October 2024 and Debian LTS Announcement January 2025 for distribution-specific updates.
Workarounds
- Restrict CAP_NET_ADMIN capability to trusted users only to prevent unauthorized qdisc manipulation
- Avoid using netem qdisc with complex redirect configurations in production environments
- If netem functionality is not required, consider blacklisting the sch_netem module
- Implement network namespaces with restricted capabilities to isolate untrusted workloads
# Blacklist sch_netem module if not needed
echo "blacklist sch_netem" >> /etc/modprobe.d/blacklist-netem.conf
# Remove any existing netem qdiscs
tc qdisc del dev lo root 2>/dev/null || true
# Verify module is not loaded
lsmod | grep sch_netem
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
