Login Sign Up

CVE-2024-26669

7.1 HIGH
Denial of Service

📋 TL;DR

A memory leak vulnerability in the Linux kernel's net/sched subsystem when using flower classifier chain templates. When a qdisc is deleted, the kernel fails to properly clean up chain template offload resources, causing kernel memory exhaustion over time. This affects systems using traffic control (tc) with flower classifier chain templates.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions between specific commits (exact range depends on distribution backports)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using traffic control (tc) with flower classifier chain templates. Requires CONFIG_NET_SCHED and CONFIG_NET_CLS_FLOWER enabled.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.

🟠

Likely Case

Memory leak leading to gradual performance degradation and eventual system instability requiring reboot.

🟢

If Mitigated

Minimal impact if proper monitoring detects memory exhaustion early and triggers remediation.

🌐 Internet-Facing: LOW - Requires local access or ability to execute tc commands on the system.
🏢 Internal Only: MEDIUM - Could be exploited by users with sufficient privileges to configure network traffic control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Reproduction script provided in CVE description. Requires CAP_NET_ADMIN or root privileges to execute tc commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commits: 32f2a0afa95f, 9ed46144cff3, c04709b2cc99

Vendor Advisory: https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8

Restart Required: Yes

Instructions:

1. Update to patched kernel version from your distribution. 2. For custom kernels, apply commits 32f2a0afa95f, 9ed46144cff3, c04709b2cc99. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable flower chain templates

linux

Avoid using chain templates with flower classifier in traffic control configuration

# Do not use: tc chain add dev <interface> ingress proto ip chain <num> flower

Monitor kernel memory usage

linux

Implement monitoring for slab memory growth to detect potential exploitation

# Monitor slab memory: watch -n 60 'cat /proc/meminfo | grep -i slab'
# Check for memory leaks: slabtop -o

🧯 If You Can't Patch

  • Restrict CAP_NET_ADMIN capabilities to trusted users only
  • Implement strict monitoring of tc command usage and kernel memory consumption

🔍 How to Verify

Check if Vulnerable:

Check if kernel is affected by testing with reproduction script: # tc qdisc add dev <interface> clsact && tc chain add dev <interface> ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 && tc qdisc del dev <interface> && monitor slab memory for growth

Check Version:

# Check kernel version: uname -r

Verify Fix Applied:

Apply patch and test with same reproduction script - memory should not leak after qdisc deletion

📡 Detection & Monitoring

Log Indicators:

  • Kernel oom-killer messages
  • System logs showing memory pressure
  • Audit logs of tc command execution by unauthorized users

Network Indicators:

  • Unusual traffic control configuration changes

SIEM Query:

process.name='tc' AND command_line CONTAINS 'chain add' AND command_line CONTAINS 'flower'

📊 Metadata

CVE ID: CVE-2024-26669
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-787
Published: April 2, 2024
Last Updated: March 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26669, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)