CVE-2024-50261: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50261 is a use-after-free vulnerability discovered in the Linux kernel's MACsec (Media Access Control Security) implementation. The vulnerability was identified in the handling of offloading packets, where the metadata_dst, used to store the SCI value for macsec offload, was being freed prematurely while still being used by the driver for packet transmission. The issue affects Linux kernel versions from 6.1 through 6.11.7, including various release candidates of version 6.12 (NVD).

The vulnerability stems from a race condition in the macsecfreenetdev() function where metadatadstfree() is called to free the metadatadst structure while it's still being referenced by the network driver for packet transmission. This results in a use-after-free condition that KASAN (Kernel Address Sanitizer) detected during packet transmission in the mlx5exmit function. The issue was traced back to the original implementation introduced by commit 0a28bfd4971f which added MACsec skbmetadatadst Tx Data path support (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to system crashes, privilege escalation, or information disclosure due to the use-after-free condition in the kernel's networking stack. The high CVSS score indicates that successful exploitation could result in complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed by replacing metadatadstfree() with dstrelease() in the macsecfreenetdev() function. This ensures that the metadatadst structure is not freed immediately if it's still being referenced by an skb. The fix has been backported to affected stable kernel versions (Kernel Patch). Users should update to patched kernel versions: 6.1.116 or later for the 6.1 series, 6.6.60 or later for the 6.2-6.6 series, and 6.11.7 or later for the 6.7-6.11 series.