CVE intelligence and bounded remediation
CVE-2024-46800 — Linux Linux Kernel security vulnerability
In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF
- Severity
- High
- CVSS
- 7.8 (3.1)
- Published
- 2024-09-18
- CISA KEV
- Not currently listed
- Ecosystem
- linux/kernel
- Weaknesses
- CWE-416
Affected products
- linux / linux_kernel
- linux / linux_kernel / 6.11
Matched remediation archetype
Use-after-free, double free, and expired resource use
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace ownership, references, callbacks, asynchronous tasks, and teardown paths around the affected object or resource.
- Identify reachable inputs and timing or state transitions that can release the object while references remain.
- Confirm affected builds, allocators, feature flags, architectures, and process privileges.
Remediate safely
- Apply the maintained ownership or lifetime fix and rebuild all artifacts containing the affected native code.
- Use explicit ownership, safe reference management, cancellation and join semantics, and idempotent teardown.
- Add deterministic lifetime tests plus isolated sanitizer and concurrency coverage for shutdown and error paths.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.