{"id":"CVE-2024-53057","summary":"net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it's valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","modified":"2026-04-03T13:14:35.022245558Z","published":"2024-11-19T17:19:40.284Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:0236-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:02588-1","SUSE-SU-2025:02844-1","SUSE-SU-2025:02844-2","SUSE-SU-2025:02848-1","SUSE-SU-2025:02850-1","SUSE-SU-2025:02852-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7169-1","USN-7169-2","USN-7169-3","USN-7169-4","USN-7169-5"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53057.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"},{"type":"WEB","url":"https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53057.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53057"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"066a3b5b2346febf9a655b444567b7138e3bb939"},{"fixed":"e7f9a6f97eb067599a74f3bcb6761976b0ed303e"},{"fixed":"dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"},{"fixed":"ce691c814bc7a3c30c220ffb5b7422715458fd9b"},{"fixed":"05df1b1dff8f197f1c275b57ccb2ca33021df552"},{"fixed":"580b3189c1972aff0f993837567d36392e9d981b"},{"fixed":"597cf9748c3477bf61bc35f0634129f56764ad24"},{"fixed":"9995909615c3431a5304c1210face5f268d24dba"},{"fixed":"2e95c4384438adeaa772caa560244b1a2efef816"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53057.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}