CVE-2024-26633: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendms ---truncated---
AI Analysis
Technical Summary
CVE-2024-26633 is a medium-severity vulnerability in the Linux kernel specifically affecting the IPv6 tunneling implementation within the ip6_tunnel module. The issue arises from improper handling of the NEXTHDR_FRAGMENT header in the function ip6_tnl_parse_tlv_enc_lim(). The vulnerability was identified by syzbot, a kernel fuzzing infrastructure, which detected that the code reads the frag_off field without ensuring that enough bytes have been pulled into the skb->head buffer. This can lead to reading uninitialized or garbage memory, causing undefined behavior. The root cause is that the code does not correctly verify that the fragment offset field is safely accessible before reading it, which violates memory safety principles. The vulnerability manifests as a use of uninitialized memory, which can cause kernel crashes or denial of service (DoS) conditions due to corrupted packet processing in the IPv6 tunnel code path. The stack traces provided show that the issue occurs during packet transmission functions such as ip6_tnl_start_xmit and related network device transmit routines. Although the vulnerability does not directly impact confidentiality or integrity, it affects availability by potentially crashing the kernel or causing network stack instability. The CVSS 3.1 score is 5.5 (medium), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), requires privileges (PR:L), no user interaction (UI:N), and impacts availability only (A:H). No known exploits are reported in the wild as of the publication date. The affected versions include multiple Linux kernel commits prior to the fix, indicating that many Linux distributions using affected kernel versions are vulnerable until patched. This vulnerability is relevant to systems that utilize IPv6 tunneling features, which are common in modern Linux-based network infrastructure and cloud environments.
Potential Impact
For European organizations, the impact of CVE-2024-26633 can be significant in environments relying on Linux servers for networking, especially those using IPv6 tunnels for VPNs, cloud connectivity, or network segmentation. A successful exploitation could lead to kernel crashes causing denial of service, disrupting critical network services or applications. This could affect data centers, telecom providers, cloud service providers, and enterprises with IPv6-enabled infrastructure. Although exploitation requires local privileges, attackers who gain limited access could escalate disruption by triggering kernel instability. This may impact availability of services, leading to operational downtime and potential financial losses. Given the widespread use of Linux in European IT infrastructure, especially in public sector, finance, and telecommunications, unpatched systems could be vulnerable to internal threat actors or attackers leveraging compromised accounts. The vulnerability does not expose data confidentiality or integrity directly but availability impacts could cascade into broader operational risks. Additionally, the reliance on IPv6 is growing in Europe, increasing the attack surface for this vulnerability. Organizations with strict uptime requirements or critical infrastructure should prioritize remediation to avoid service interruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the ip6_tunnel NEXTHDR_FRAGMENT handling as soon as possible. Monitor Linux kernel mailing lists and distribution security advisories for updated kernel packages. 2. For organizations unable to immediately patch, consider disabling IPv6 tunneling features if not in use, to reduce the attack surface. 3. Implement strict access controls and monitoring on systems with IPv6 tunneling enabled to detect abnormal kernel crashes or network anomalies. 4. Use kernel live patching solutions where available to apply fixes without downtime. 5. Conduct internal audits to identify systems running vulnerable kernel versions and prioritize patching based on criticality and exposure. 6. Harden local user access controls to prevent unauthorized local privilege escalation that could exploit this vulnerability. 7. Employ network segmentation and zero trust principles to limit lateral movement in case of partial compromise. 8. Maintain comprehensive logging and alerting on kernel errors and network stack failures to enable rapid incident response. These measures go beyond generic advice by focusing on the specific affected kernel module, local privilege requirements, and IPv6 tunneling usage patterns.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2024-26633: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendms ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26633 is a medium-severity vulnerability in the Linux kernel specifically affecting the IPv6 tunneling implementation within the ip6_tunnel module. The issue arises from improper handling of the NEXTHDR_FRAGMENT header in the function ip6_tnl_parse_tlv_enc_lim(). The vulnerability was identified by syzbot, a kernel fuzzing infrastructure, which detected that the code reads the frag_off field without ensuring that enough bytes have been pulled into the skb->head buffer. This can lead to reading uninitialized or garbage memory, causing undefined behavior. The root cause is that the code does not correctly verify that the fragment offset field is safely accessible before reading it, which violates memory safety principles. The vulnerability manifests as a use of uninitialized memory, which can cause kernel crashes or denial of service (DoS) conditions due to corrupted packet processing in the IPv6 tunnel code path. The stack traces provided show that the issue occurs during packet transmission functions such as ip6_tnl_start_xmit and related network device transmit routines. Although the vulnerability does not directly impact confidentiality or integrity, it affects availability by potentially crashing the kernel or causing network stack instability. The CVSS 3.1 score is 5.5 (medium), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), requires privileges (PR:L), no user interaction (UI:N), and impacts availability only (A:H). No known exploits are reported in the wild as of the publication date. The affected versions include multiple Linux kernel commits prior to the fix, indicating that many Linux distributions using affected kernel versions are vulnerable until patched. This vulnerability is relevant to systems that utilize IPv6 tunneling features, which are common in modern Linux-based network infrastructure and cloud environments.
Potential Impact
For European organizations, the impact of CVE-2024-26633 can be significant in environments relying on Linux servers for networking, especially those using IPv6 tunnels for VPNs, cloud connectivity, or network segmentation. A successful exploitation could lead to kernel crashes causing denial of service, disrupting critical network services or applications. This could affect data centers, telecom providers, cloud service providers, and enterprises with IPv6-enabled infrastructure. Although exploitation requires local privileges, attackers who gain limited access could escalate disruption by triggering kernel instability. This may impact availability of services, leading to operational downtime and potential financial losses. Given the widespread use of Linux in European IT infrastructure, especially in public sector, finance, and telecommunications, unpatched systems could be vulnerable to internal threat actors or attackers leveraging compromised accounts. The vulnerability does not expose data confidentiality or integrity directly but availability impacts could cascade into broader operational risks. Additionally, the reliance on IPv6 is growing in Europe, increasing the attack surface for this vulnerability. Organizations with strict uptime requirements or critical infrastructure should prioritize remediation to avoid service interruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the ip6_tunnel NEXTHDR_FRAGMENT handling as soon as possible. Monitor Linux kernel mailing lists and distribution security advisories for updated kernel packages. 2. For organizations unable to immediately patch, consider disabling IPv6 tunneling features if not in use, to reduce the attack surface. 3. Implement strict access controls and monitoring on systems with IPv6 tunneling enabled to detect abnormal kernel crashes or network anomalies. 4. Use kernel live patching solutions where available to apply fixes without downtime. 5. Conduct internal audits to identify systems running vulnerable kernel versions and prioritize patching based on criticality and exposure. 6. Harden local user access controls to prevent unauthorized local privilege escalation that could exploit this vulnerability. 7. Employ network segmentation and zero trust principles to limit lateral movement in case of partial compromise. 8. Maintain comprehensive logging and alerting on kernel errors and network stack failures to enable rapid incident response. These measures go beyond generic advice by focusing on the specific affected kernel module, local privilege requirements, and IPv6 tunneling usage patterns.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.136Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd9fa
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:24:47 AM
Last updated: 8/6/2025, 6:36:50 PM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.