CVE-2024-50036: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50036 is a vulnerability in the Linux kernel's networking subsystem, specifically related to the handling of destination entries (dst) in the network stack. The vulnerability was discovered in October 2024 and affects Linux kernel versions from 3.10.50 up to (excluding) 6.6.57, and versions from 6.7 up to (excluding) 6.11.4 (NVD).

The vulnerability stems from a race condition in the dst_entries_add() function which uses per-CPU data that might be freed during network namespace dismantling through ip6_route_net_exit() calling dst_entries_destroy(). The issue occurs because dst_release() waits for an RCU grace period before calling dst_destroy(), making the dst_entries_add() use in dst_destroy() racy since dst_entries_destroy() could have been called already. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to a use-after-free condition in the kernel's networking stack, particularly when dealing with IPSEC configurations where dst_destroy() can call dst_release_immediate(child) if the child does not have DST_NOCOUNT set (Kernel Patch).

The vulnerability has been fixed by modifying the dst_release() function to perform dst_entries_add() operations sooner, before the RCU grace period. The fix involves creating a new dst_count_dec() function to handle the decrementing of destination entries counts at the appropriate time. The patch has been merged into the Linux kernel (Kernel Patch).