CVE-2024-45016: netem: fix return value if duplicate enqueue fails
In the Linux kernel, the following vulnerability has been resolved:
netem: fix return value if duplicate enqueue fails
There is a bug in netem_enqueue() introduced by
commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.
This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then
the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
and the original packet is dropped.
In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.
Security readout for executives and security teams
Plain-English summary
CVE-2024-45016 is a Linux kernel networking bug in netem, a traffic-control feature used to emulate network conditions. Under specific packet duplication and drop handling, the kernel can keep an incorrect queue count and leave a dangling pointer, creating a use-after-free risk.
Executive priority
Treat this as a targeted kernel maintenance issue, not an emergency based on current evidence. Patch through normal security update channels, prioritizing systems using Linux traffic-control features, shared infrastructure, appliances, and vendor platforms named in advisories.
Technical view
The flaw is in netem_enqueue(), introduced by commit 5845f706388a. Duplicate packet enqueue failure can still return NET_XMIT_SUCCESS, incorrectly incrementing a parent qdisc qlen. During qdisc destruction, qlen_notify() may be skipped for classful qdiscs such as DRR, leaving stale state and a use-after-free condition.
Likely exposure
Exposure is most likely on Linux systems running affected kernel builds where netem traffic control is configured or reachable through operational workflows. The source bundle lists affected Linux kernel versions and stable fix commits, but does not provide CPEs or detailed product package mappings.
Exploitation context
The bundle does not support active exploitation: KEV is false and no cited source says it is exploited in the wild. The described bug requires specific netem duplicate enqueue and packet drop behavior; the bundle does not state attacker prerequisites or remote exploitability.
Researcher notes
The key issue is an incorrect success return after duplicate enqueue failure, causing qdisc accounting drift and skipped destruction notification. Evidence supports a kernel use-after-free, but not exploitability details, CVSS, CWE classification, or active abuse. Validate against exact kernel branch fixes rather than assuming broad product exposure.
Mitigation direction
Update Linux kernels to vendor builds containing the referenced stable fixes.
Review Debian and Siemens advisories if those platforms are in scope.
If fixed packages are unavailable, follow vendor guidance for temporary mitigations.
Limit privileged traffic-control configuration access to trusted administrators.
Prioritize internet-facing or multi-tenant Linux systems using advanced qdisc configuration.
Validation and detection
Inventory Linux kernel versions and compare them with vendor fixed releases.
Check whether netem or classful qdisc configurations are used on production hosts.
Confirm patched kernels include one of the referenced stable commits.
Review Debian LTS and Siemens advisory applicability for managed assets.
Monitor vendor security advisories for updated severity, package, or mitigation details.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-45016 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.