CVE-2024-50252: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50252 affects the Linux kernel's mlxsw spectrum_ipip driver, specifically related to memory management when changing remote IPv6 addresses. The vulnerability was discovered and reported by Maksym Yaremchuk and resolved in November 2024. The issue affects Linux kernel versions from 5.17 up to (excluding) 6.1.116, 6.2 up to (excluding) 6.6.60, and 6.7 up to (excluding) 6.11.7 (NVD).

The vulnerability stems from improper memory management in the mlxsw spectrum_ipip driver when handling IPv6 addresses used for encapsulation. The device stores these addresses in linear memory managed by the driver. When changing the remote address of an ip6gre net device, the new remote address is never added to the driver's hash table, and the old address is never removed, leading to a memory leak. The issue has a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability results in a memory leak when changing remote IPv6 addresses in the affected driver. This can lead to resource exhaustion and potential system instability over time (NVD).

The issue has been fixed in the Linux kernel through patches that properly handle address changes by programming the new address when the configuration of the ip6gre net device changes and removing the old one. Users should update to patched kernel versions: 6.1.116 or later, 6.6.60 or later, or 6.11.7 or later (NVD, Red Hat).