Login Sign Up

CVE-2024-42138

7.8 HIGH

📋 TL;DR

This is a double-free memory corruption vulnerability in the Linux kernel's mlxsw driver for Mellanox network devices. It allows local attackers with access to the system to potentially crash the kernel or execute arbitrary code. Affects systems using Mellanox network hardware with vulnerable kernel versions.

💻 Affected Systems

Products:
  • Linux kernel with mlxsw driver
Versions: Specific kernel versions containing the vulnerable code (check git commits for exact ranges)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with Mellanox network hardware using the mlxsw driver. Requires invalid INI file to trigger the double-free condition.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level code execution, leading to complete system compromise.

🟠

Likely Case

Kernel panic or system crash causing denial of service.

🟢

If Mitigated

No impact if proper kernel hardening and access controls prevent local attackers from triggering the vulnerable code path.

🌐 Internet-Facing: LOW - Requires local access to trigger the vulnerability.
🏢 Internal Only: MEDIUM - Local attackers on affected systems could exploit this, but requires specific Mellanox hardware and driver usage.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to trigger invalid INI file processing. Memory corruption vulnerabilities in kernel drivers can be leveraged for privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 8ce34dccbe8fa7d2ef86f2d8e7db2a9b67cabfc3, 9af7437669b72f804fc4269f487528dbbed142a2, ab557f5cd993a3201b09593633d04b891263d5c0, f8b55a465b0e8a500179808166fe9420f5c091a1

Vendor Advisory: https://git.kernel.org/stable/c/8ce34dccbe8fa7d2ef86f2d8e7db2a9b67cabfc3

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable mlxsw driver

linux

Remove or blacklist the mlxsw driver if Mellanox hardware is not required

echo 'blacklist mlxsw_core' > /etc/modprobe.d/blacklist-mlxsw.conf
rmmod mlxsw_core

🧯 If You Can't Patch

  • Restrict local user access to systems with Mellanox hardware
  • Implement strict file integrity monitoring for INI configuration files

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if mlxsw modules are loaded: lsmod | grep mlxsw && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated beyond vulnerable commits and mlxsw driver loads without errors

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • System crashes/panics
  • mlxsw driver error messages in dmesg

Network Indicators:

  • None - local vulnerability only

SIEM Query:

search 'kernel panic' OR 'Oops' OR 'mlxsw' in system logs

📊 Metadata

CVE ID: CVE-2024-42138
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: July 30, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42138, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)