CVE-2011-2942

Vulnerability

A NULL pointer dereference vulnerability exists in the __br_deliver function in net/bridge/br_forward.c of the Linux kernel 2.6.18 as shipped with Red Hat Enterprise Linux (RHEL) 5. The bug was introduced by a Red Hat backport that modified the bridge forwarding code. When the br_forward_finish() function calls kfree() on a socket buffer (skb) being forwarded, the code subsequently dereferences skb->dev, which is NULL after the free, leading to a crash. The upstream kernel was not affected because the relevant code had been rewritten. Affected RHEL 5 kernels include those in the 2.6.18-xxx series [1][2].

Exploitation

An attacker can trigger this vulnerability by sending crafted network packets to a network interface that is part of an Ethernet bridge. The attacker only needs network connectivity to the bridged network and no authentication. The exploit involves sending a sequence of packets that cause the bridge forwarding path to free an skb and then dereference its dev pointer, resulting in a NULL pointer dereference [1].

Impact

Successful exploitation leads to a denial of service (system crash) due to a NULL pointer dereference. The Red Hat advisory also notes unspecified other impact, but the primary and confirmed impact is a system crash, making the system unavailable. No privilege escalation or data disclosure is indicated in the available references [1][2].

Mitigation

Red Hat released updates to fix CVE-2011-2942 as part of their errata. The fixed kernel versions are included in RHEL 5.7 and later updates released in 2011. Users should apply the relevant kernel update from Red Hat. For RHEL 5 systems that cannot be immediately updated, no viable workaround is documented; the recommended mitigation is to patch the system with the fixed kernel. The vulnerability was not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].