CVE-2024-42142: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42142 affects the Linux kernel's network subsystem, specifically the MLX5 E-switch ingress ACL functionality. The vulnerability was discovered on July 30, 2024, and affects Linux kernel versions from 5.18 up to versions before 6.1.98, 6.2 to before 6.6.39, 6.7 to before 6.9.9, and 6.10 release candidates. The issue occurs in the net/mlx5 E-switch component where ingress ACL creation is not properly handled (NVD).

The vulnerability stems from the improper handling of ingress ACL creation in the MLX5 E-switch component. The issue arises when ingress ACL is used for three features but is only created when vport metadata match and prio tag are enabled, despite being required for active-backup lag mode independently. When vport metadata match is disabled using the devlink command 'devlink dev param set pci/0000:08:00.0 name eswportmetadata value false', the system can experience a panic when creating drop rules for active-backup lag mode. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system panic when creating drop rules for active-backup lag mode if the ingress ACL is not properly created. Additionally, always creating the ingress ACL results in approximately 5% performance degradation (Kernel Patch).

The vulnerability has been fixed in the Linux kernel through patches that modify the ingress ACL creation logic. The fix ensures that ingress ACL is created when needed, checking if eswportmetadata is true and using existing ingress ACL, or creating a new one if eswportmetadata is false. The patch has been backported to multiple kernel versions (Kernel Patch).