CVE-2024-26597: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.
AI Analysis
Technical Summary
CVE-2024-26597 is a vulnerability identified in the Linux kernel, specifically within the Qualcomm RMNET driver component. The issue arises from an improper bounds check on the 'maxtype' variable used in parsing netlink attributes related to RMNET policy. The vulnerability manifests as a global out-of-bounds (OOB) read, where the kernel attempts to read memory beyond the allocated bounds of an array. This occurs because the 'rmnet_link_ops' variable assigns a larger 'maxtype' than the size of the destination array minus one, violating the expected constraint described in the 'nla_parse_nested_deprecated' function. The out-of-bounds read is detected by Kernel Address Sanitizer (KASAN) during validation of netlink attributes, indicating a memory safety violation. The bug trace shows that the issue occurs during the processing of rtnetlink messages, which are used for network configuration and management in Linux. The vulnerability affects Linux kernel version 6.1.0 and likely others with the same RMNET implementation. The root cause is a logic error in the bounds checking of netlink attribute parsing, leading to a read from an invalid memory address. While the vulnerability is a read (not write) out-of-bounds, such flaws can potentially be leveraged for information disclosure or to cause kernel crashes (denial of service). The vulnerability does not require user interaction but does require the ability to send crafted netlink messages to the kernel, which typically requires local or privileged access. No known exploits are reported in the wild as of the publication date. No CVSS score has been assigned yet. The fix involves correcting the 'maxtype' value to be the length of the destination array minus one, ensuring proper bounds checking and preventing the out-of-bounds read.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with Qualcomm RMNET drivers, commonly found in embedded devices, mobile gateways, and network infrastructure equipment. The out-of-bounds read could be exploited to leak kernel memory contents, potentially exposing sensitive information or enabling further kernel-level attacks. Additionally, crafted netlink messages could trigger kernel crashes, leading to denial of service conditions impacting availability of critical network services. Organizations relying on Linux-based network appliances, IoT devices, or mobile network infrastructure could face operational disruptions or data exposure if exploited. Given the kernel-level nature of the flaw, successful exploitation could undermine system integrity and confidentiality. Although exploitation requires local or privileged access to send netlink messages, attackers who gain such access (e.g., via compromised accounts or lateral movement) could leverage this vulnerability to escalate privileges or disrupt services. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks against telecom or network providers in Europe. The vulnerability's impact is heightened in environments with stringent availability and data protection requirements, such as financial institutions, critical infrastructure, and telecom operators.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, ensuring the RMNET driver code includes the corrected bounds checking. Specifically, apply vendor-supplied kernel updates or mainline Linux kernel patches that fix the 'maxtype' assignment in the RMNET policy parsing code. For embedded or network devices where kernel updates are delayed or unavailable, consider implementing network segmentation and strict access controls to limit which users or processes can send netlink messages, reducing the attack surface. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory safety issues proactively. Monitor system logs for unusual rtnetlink activity or kernel warnings indicative of exploitation attempts. Additionally, restrict local user privileges to prevent unauthorized netlink message injection, and use mandatory access control frameworks (e.g., SELinux, AppArmor) to constrain network configuration operations. Conduct thorough inventory and risk assessment of Linux-based network devices using Qualcomm RMNET drivers to identify vulnerable assets and prioritize patching. Finally, maintain up-to-date incident response plans to quickly address potential kernel-level compromises.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland
CVE-2024-26597: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.
AI-Powered Analysis
Technical Analysis
CVE-2024-26597 is a vulnerability identified in the Linux kernel, specifically within the Qualcomm RMNET driver component. The issue arises from an improper bounds check on the 'maxtype' variable used in parsing netlink attributes related to RMNET policy. The vulnerability manifests as a global out-of-bounds (OOB) read, where the kernel attempts to read memory beyond the allocated bounds of an array. This occurs because the 'rmnet_link_ops' variable assigns a larger 'maxtype' than the size of the destination array minus one, violating the expected constraint described in the 'nla_parse_nested_deprecated' function. The out-of-bounds read is detected by Kernel Address Sanitizer (KASAN) during validation of netlink attributes, indicating a memory safety violation. The bug trace shows that the issue occurs during the processing of rtnetlink messages, which are used for network configuration and management in Linux. The vulnerability affects Linux kernel version 6.1.0 and likely others with the same RMNET implementation. The root cause is a logic error in the bounds checking of netlink attribute parsing, leading to a read from an invalid memory address. While the vulnerability is a read (not write) out-of-bounds, such flaws can potentially be leveraged for information disclosure or to cause kernel crashes (denial of service). The vulnerability does not require user interaction but does require the ability to send crafted netlink messages to the kernel, which typically requires local or privileged access. No known exploits are reported in the wild as of the publication date. No CVSS score has been assigned yet. The fix involves correcting the 'maxtype' value to be the length of the destination array minus one, ensuring proper bounds checking and preventing the out-of-bounds read.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with Qualcomm RMNET drivers, commonly found in embedded devices, mobile gateways, and network infrastructure equipment. The out-of-bounds read could be exploited to leak kernel memory contents, potentially exposing sensitive information or enabling further kernel-level attacks. Additionally, crafted netlink messages could trigger kernel crashes, leading to denial of service conditions impacting availability of critical network services. Organizations relying on Linux-based network appliances, IoT devices, or mobile network infrastructure could face operational disruptions or data exposure if exploited. Given the kernel-level nature of the flaw, successful exploitation could undermine system integrity and confidentiality. Although exploitation requires local or privileged access to send netlink messages, attackers who gain such access (e.g., via compromised accounts or lateral movement) could leverage this vulnerability to escalate privileges or disrupt services. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks against telecom or network providers in Europe. The vulnerability's impact is heightened in environments with stringent availability and data protection requirements, such as financial institutions, critical infrastructure, and telecom operators.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, ensuring the RMNET driver code includes the corrected bounds checking. Specifically, apply vendor-supplied kernel updates or mainline Linux kernel patches that fix the 'maxtype' assignment in the RMNET policy parsing code. For embedded or network devices where kernel updates are delayed or unavailable, consider implementing network segmentation and strict access controls to limit which users or processes can send netlink messages, reducing the attack surface. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory safety issues proactively. Monitor system logs for unusual rtnetlink activity or kernel warnings indicative of exploitation attempts. Additionally, restrict local user privileges to prevent unauthorized netlink message injection, and use mandatory access control frameworks (e.g., SELinux, AppArmor) to constrain network configuration operations. Conduct thorough inventory and risk assessment of Linux-based network devices using Qualcomm RMNET drivers to identify vulnerable assets and prioritize patching. Finally, maintain up-to-date incident response plans to quickly address potential kernel-level compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.127Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe4123
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:10:06 PM
Last updated: 8/11/2025, 1:43:23 AM
Views: 18
Related Threats
CVE-2025-9106: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9102: Improper Export of Android Application Components in 1&1 Mail & Media mail.com App
MediumCVE-2025-9101: Cross Site Scripting in zhenfeng13 My-Blog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.