LiveActive security incident?Get immediate response
CVE Record

CVE-2024-42272: sched: act_ct: take care of padding in struct zones_ht_key

In the Linux kernel, the following vulnerability has been resolved: sched: act_ct: take care of padding in struct zones_ht_key Blamed commit increased lookup key size from 2 bytes to 16 bytes, because zones_ht_key got a struct net pointer. Make sure rhashtable_lookup() is not using the padding bytes which are not initialized. BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline] BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline] BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 rht_ptr_rcu include/linux/rhashtable.h:376 [inline] __rhashtable_lookup include/linux/rhashtable.h:607 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425 tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488 tcf_action_add net/sched/act_api.c:2061 [inline] tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118 rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2597 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651 __sys_sendmsg net/socket.c:2680 [inline] __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687 x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable key created at: tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324 tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel bug in the traffic-control connection-tracking action. The kernel could use uninitialized padding bytes while looking up an internal hash key. The public record confirms a fix exists, but does not provide CVSS, a clear impact statement, or evidence of active exploitation.

Executive priority

Treat this as a kernel maintenance priority, not an emergency based on available evidence. Patch in normal vulnerability windows, accelerating for shared, high-value, or network-control-heavy Linux systems because kernel bugs can have broad operational impact even when exploit details are absent.

Technical view

In net/sched/act_ct.c, struct zones_ht_key grew after adding a struct net pointer. rhashtable_lookup_fast could include uninitialized padding bytes in key handling, reported by KMSAN during tcf_ct_flow_table_get reached from rtnetlink traffic-control action creation. Stable kernel commits address the key padding issue.

Likely exposure

Exposure is Linux systems running affected kernel builds that include the sched act_ct code path. The source bundle lists Linux stable branches and fix markers, with Debian LTS and Siemens advisories indicating downstream relevance. Exact exposure depends on vendor kernel backports and whether traffic-control connection tracking is present or used.

Exploitation context

The provided sources do not report active exploitation, and KEV status is false. The observed path is local rtnetlink traffic-control action handling, not a described remote network exploit. Required privileges and practical impact are not specified in the source bundle.

Researcher notes

Key uncertainty is impact: the record documents uninitialized padding use detected by KMSAN, but not confidentiality, integrity, or availability consequences. Avoid assuming exploitability. Validate by code lineage, branch-specific stable commits, and downstream advisories rather than mainline version strings alone.

Mitigation direction

  • Update Linux kernels through your vendor to builds containing the referenced stable fixes.
  • Prioritize hosts where traffic-control connection-tracking actions are configured or administratively exposed.
  • Review Debian LTS and Siemens advisories if those distributions or products are in scope.
  • If no vendor fix is available, follow vendor guidance for temporary risk reduction.

Validation and detection

  • Inventory kernel versions and vendor package revisions across Linux fleets.
  • Compare installed kernels against vendor advisories and the referenced stable commit lineage.
  • Check whether traffic-control connection-tracking actions are configured on high-value systems.
  • Confirm patched kernels are deployed after reboot or live-patch activation.
  • Record exceptions where vendor backports make version-only checks unreliable.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-42272 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux03f625505e27f709390a86c9b78d3707f4c23df8, aa1f81fe3a059bc984b230b5352ab89d06aa3c7b, 2f82f75f843445daa81e8b2a76774b1348033ce6, 9126fd82e9edc7b4796f756e4b258d34f17e5e4a, 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a, 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a, b4382b854975ae96fbfcc83a1d79b5c063c1aaa8, 5.10.221, 5.15.162, 6.1.96, 6.6.36, 6.9.7unaffected
LinuxLinux6.10, 0, 5.10.224, 5.15.165, 6.1.104, 6.6.45, 6.10.4, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.