CVE-2024-49979

MEDIUM EPSS 13.6%
Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: gso: fix tcp fraglist segmentation after pull from frag_list Detect tcp gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For TCP, this causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at tcp_hdr(seg->next). Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Approach and description based on a patch by Willem de Bruijn.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
13.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥6.10  –  <6.10.14
linuxlinux_kernel*≥6.11  –  <6.11.3
linuxlinux_kernel6.12any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/75733986fcb0725c0033cde94764389e287b331e
  • git.kernel.org https://git.kernel.org/stable/c/e19201b0c67da5146eaac06fd3d44bd7945c3448

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46
    Patch