CVE-2024-53088: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-53088 addresses a race condition vulnerability in the Linux kernel's i40e driver that can lead to MAC/VLAN filters becoming corrupted and leaking. The vulnerability was discovered in November 2024 and affects Linux kernel versions from 4.10 up to versions before 5.15.172, 6.1.117, 6.6.61, and 6.11.8. The issue occurs under heavy load when multiple threads concurrently modify MAC/VLAN filters (NVD).

The vulnerability manifests as a race condition in the i40e driver when multiple threads concurrently modify MAC/VLAN filters by setting mac and port VLAN. The issue involves Thread T0 allocating a filter in i40e_add_filter() within i40e_ndo_set_vf_port_vlan() while Thread T1 concurrently frees the filter in __i40e_del_filter() within i40e_ndo_set_vf_mac(). Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which refers to the already freed filter memory, causing corruption. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in MAC/VLAN filters becoming corrupted and leaking. Under heavy load conditions, the system may display errors such as 'Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX, please set promiscuous on manually for VF XX' in the system logs (Kernel Patch).

The fix implements a new intermediate filter state, I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list. These filters cannot be deleted from the hash list directly but must be removed using the full process. The patch has been included in various kernel versions and is available through security updates from major Linux distributions (Red Hat Security Advisory).