A critical vulnerability designated CVE-2024-35854 has been disclosed in the Linux kernel's Mellanox mlxsw driver, specifically affecting the Spectrum switch's Access Control List (ACL) Ternary Content-Addressable Memory (TCAM) management code. This flaw, a use-after-free condition, stems from a subtle timing bug that allows background rehash operations to destroy a memory region still referenced by active filter entries, potentially leading to system crashes, privilege escalation, or arbitrary code execution. The vulnerability impacts systems running Linux kernels with the mlxsw_spectrum driver enabled, which is common in data centers and cloud environments utilizing Mellanox/NVIDIA Spectrum-based Ethernet switches for high-performance networking.

Technical Breakdown of the Vulnerability

The vulnerability resides in the drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c file within the Linux kernel source tree. The mlxsw driver manages hardware ACLs on Mellanox Spectrum ASICs using a software-managed TCAM structure. To maintain efficiency as rules are added and deleted, the driver periodically performs a "rehash" operation—a background process that reorganizes the TCAM regions. The flaw is a classic race condition: the code fails to properly synchronize between the thread executing the rehash and threads that might still be holding references to the TCAM region being reorganized.

Specifically, when the mlxsw_sp_acl_tcam_vregion_rehash_work() function executes, it can call mlxsw_sp_acl_tcam_vregion_destroy() on a virtual region (vregion) while active filter entries (ventry) still reference it. This occurs because the check for active references (vregion->ref_count) and the subsequent destruction are not atomic with respect to other operations that might increment the reference count. An attacker with local access could potentially exploit this timing window by rapidly adding and deleting ACL rules, increasing the probability of triggering the race condition and corrupting kernel memory.

Impact and Severity Assessment

CVE-2024-35854 has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This scoring indicates:
- Attack Vector (AV:L): The attacker must have local access to the system.
- Attack Complexity (AC:L): The attack is considered low complexity, though triggering the race condition reliably may require specific timing.
- Privileges Required (PR:L): The attacker needs low-level privileges (user privileges).
- User Interaction (UI:N): No user interaction is required.
- Scope (S:U): The vulnerability's impact is confined to the vulnerable component (the kernel).
- Impact: High confidentiality, integrity, and availability impact—successful exploitation could lead to full system compromise.

The primary risk is to multi-tenant cloud environments, container hosts, and virtualized systems where a malicious user or compromised container could escape isolation and compromise the host kernel. This could lead to data breaches, service disruption, or lateral movement within a data center. Systems using Spectrum switches for network segmentation or security policy enforcement are particularly concerning, as compromising the driver could undermine these controls.

The Patch and Mitigation Strategies

The fix for CVE-2024-35854 was committed to the mainline Linux kernel by Mellanox/NVIDIA developers. The patch ensures proper reference counting and synchronization before destroying a TCAM region during rehash. The core correction involves making the check for vregion->ref_count and the subsequent actions atomic, preventing the destruction of a region that is still in use.

Immediate mitigation steps for administrators include:

  1. Kernel Patching: Apply the official patch to the Linux kernel. The fix is included in stable kernel branches. Key commits include:

    • mlxsw: spectrum_acl_tcam: Fix use-after-free during rehash
    • The patch adds proper locking and reference validation in mlxsw_sp_acl_tcam_vregion_rehash_work().

  2. Kernel Version Check: Verify your kernel version. The fix is present in mainline kernels and has been backported to stable/long-term support (LTS) branches. Check your distribution's security advisory.

  3. Module Restriction: If the mlxsw_spectrum driver is not required, consider preventing it from loading via kernel module blacklisting (e.g., adding blacklist mlxsw_spectrum to /etc/modprobe.d/). However, this will disable functionality for Mellanox Spectrum switches.

  4. Network Segmentation: As a broader security practice, ensure systems potentially exposed to local attackers (like cloud instances) are properly segmented from critical infrastructure.

Vendor Responses and Distribution Updates

Major Linux distributions have released updates addressing CVE-2024-35854. Users should check their distributor's security portal:

  • Red Hat/CentOS/Fedora: Released updates via the kernel and kernel-rt packages. Red Hat Enterprise Linux (RHEL) affected versions include 8 and 9.
  • Canonical Ubuntu: Released updates for all supported LTS and interim releases. The linux and linux-aws packages contain the fix.
  • SUSE Linux Enterprise Server (SLES): Released updates for SLES 15 and 12.
  • Debian: Released updates for Debian 12 (Bookworm) and 11 (Bullseye) via the linux source package.

NVIDIA, which acquired Mellanox in 2020, has acknowledged the vulnerability in its security advisories and credits the discovery to internal security research. The flaw highlights the critical importance of rigorous code review and testing for kernel-level drivers, especially those managing complex hardware state like networking ASICs.

Broader Implications for System Security

CVE-2024-35854 is a stark reminder of the security criticality of kernel drivers, particularly for high-performance networking hardware. The mlxsw driver is essential for leveraging the advanced capabilities of Spectrum switches, but its complexity introduces attack surface. This vulnerability follows a pattern of use-after-free flaws discovered in various kernel subsystems, emphasizing the need for:

  • Improved use of automated code analysis and fuzzing for kernel drivers.
  • Stricter code review processes for concurrency and lifetime management.
  • Defense-in-depth through kernel hardening features like CONFIG_REFCOUNT_FULL and CONFIG_SLAB_FREELIST_HARDENED, which can make exploitation of such bugs more difficult, though not impossible.

For organizations relying on Mellanox/NVIDIA networking, this incident underscores the necessity of a robust patch management strategy for both the host operating system and the underlying firmware of the networking hardware itself, as vulnerabilities can exist at multiple layers of the stack.

Conclusion and Recommendations

CVE-2024-35854 is a high-severity local privilege escalation vulnerability in a widely used Linux kernel driver. While exploitation requires local access and precise timing, the potential impact on cloud and data center environments is significant. System administrators should prioritize applying the available kernel patches from their respective Linux distributions. Furthermore, this event should prompt security teams to audit their kernel configurations, minimize unnecessary driver modules, and ensure they are subscribed to security advisories for all components in their infrastructure, from the application layer down to the kernel drivers that interface with critical hardware.