CVE-2024-26635: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
AI Analysis
Technical Summary
CVE-2024-26635 is a vulnerability identified in the Linux kernel's Logical Link Control (LLC) networking code. The root cause stems from improper handling of the deprecated Ethernet protocol type ETH_P_TR_802_2 (0x0011), which was originally used for Token Ring networks. The vulnerability arises because the Linux kernel code removed special processing for Token Ring packets but failed to fully disable acceptance of ETH_P_TR_802_2 packets. Specifically, local variables representing source and destination MAC addresses (saddr, daddr) are only initialized when the packet protocol is ETH_P_802_2 (0x0004). If a packet with ETH_P_TR_802_2 protocol is processed, these variables remain uninitialized, leading to the use of uninitialized memory in the __llc_lookup_established() and __llc_lookup_listener() functions. This can cause undefined behavior, including potential memory corruption or information leakage. The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, which triggered the bug by sending crafted packets using the deprecated protocol. The issue was introduced after commit 211ed865108e, which removed Token Ring support but left a code path open for ETH_P_TR_802_2 packets to be processed incorrectly. The fix involves dropping support for ETH_P_TR_802_2 entirely and ensuring no uninitialized variables are used during LLC packet processing. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the referenced commit and likely subsequent versions until patched. Since this is a kernel-level flaw in network packet processing, it could be triggered remotely if an attacker can send crafted packets to a vulnerable system's network interface, particularly if the system processes LLC frames or uses virtual network interfaces like TUN/TAP, as indicated by the stack trace. However, exploitation complexity may be higher due to the need to craft specific packet types and the deprecated nature of the protocol. No CVSS score is assigned yet.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running vulnerable Linux kernel versions that have not applied the patch removing ETH_P_TR_802_2 support. The impact includes potential kernel memory corruption or information leakage, which could lead to denial of service (system crashes) or potentially privilege escalation if combined with other vulnerabilities. Since the flaw is in the kernel's network stack, exposed network-facing Linux servers, virtualized environments using TUN/TAP interfaces, and embedded devices running Linux kernels with this vulnerability are at risk. European enterprises with critical infrastructure, cloud providers, and telecommunications operators relying on Linux-based systems could face service disruptions or targeted attacks exploiting this flaw. The risk is heightened in environments where unfiltered network traffic or legacy protocols might be present. However, the lack of known exploits and the deprecated protocol's rarity reduce immediate widespread exploitation risk. Still, the vulnerability should be addressed promptly to prevent future exploitation, especially in sectors with high security requirements such as finance, energy, and government services across Europe.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that remove support for ETH_P_TR_802_2 and fix the uninitialized variable usage. Monitor vendor advisories for backported patches if using long-term support kernels. 2. Network filtering: Implement network-level filtering to block or drop packets with the ETH_P_TR_802_2 protocol type on perimeter and internal firewalls to reduce exposure. 3. Disable unused protocols: Audit and disable legacy or deprecated network protocols and interfaces that are not required in your environment, minimizing attack surface. 4. Harden virtual interfaces: For virtualized environments using TUN/TAP devices, ensure they are updated and properly configured to prevent injection of crafted packets exploiting this vulnerability. 5. Monitoring and detection: Deploy kernel integrity monitoring and network anomaly detection to identify unusual LLC traffic or kernel crashes that may indicate exploitation attempts. 6. Incident response readiness: Prepare to respond to potential denial of service or kernel panic incidents by maintaining backups and recovery procedures for critical Linux systems. 7. Vendor coordination: Engage with Linux distribution vendors to confirm patch availability and deployment timelines, especially for embedded or specialized Linux systems common in industrial or telecom sectors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-26635: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
AI-Powered Analysis
Technical Analysis
CVE-2024-26635 is a vulnerability identified in the Linux kernel's Logical Link Control (LLC) networking code. The root cause stems from improper handling of the deprecated Ethernet protocol type ETH_P_TR_802_2 (0x0011), which was originally used for Token Ring networks. The vulnerability arises because the Linux kernel code removed special processing for Token Ring packets but failed to fully disable acceptance of ETH_P_TR_802_2 packets. Specifically, local variables representing source and destination MAC addresses (saddr, daddr) are only initialized when the packet protocol is ETH_P_802_2 (0x0004). If a packet with ETH_P_TR_802_2 protocol is processed, these variables remain uninitialized, leading to the use of uninitialized memory in the __llc_lookup_established() and __llc_lookup_listener() functions. This can cause undefined behavior, including potential memory corruption or information leakage. The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, which triggered the bug by sending crafted packets using the deprecated protocol. The issue was introduced after commit 211ed865108e, which removed Token Ring support but left a code path open for ETH_P_TR_802_2 packets to be processed incorrectly. The fix involves dropping support for ETH_P_TR_802_2 entirely and ensuring no uninitialized variables are used during LLC packet processing. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the referenced commit and likely subsequent versions until patched. Since this is a kernel-level flaw in network packet processing, it could be triggered remotely if an attacker can send crafted packets to a vulnerable system's network interface, particularly if the system processes LLC frames or uses virtual network interfaces like TUN/TAP, as indicated by the stack trace. However, exploitation complexity may be higher due to the need to craft specific packet types and the deprecated nature of the protocol. No CVSS score is assigned yet.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running vulnerable Linux kernel versions that have not applied the patch removing ETH_P_TR_802_2 support. The impact includes potential kernel memory corruption or information leakage, which could lead to denial of service (system crashes) or potentially privilege escalation if combined with other vulnerabilities. Since the flaw is in the kernel's network stack, exposed network-facing Linux servers, virtualized environments using TUN/TAP interfaces, and embedded devices running Linux kernels with this vulnerability are at risk. European enterprises with critical infrastructure, cloud providers, and telecommunications operators relying on Linux-based systems could face service disruptions or targeted attacks exploiting this flaw. The risk is heightened in environments where unfiltered network traffic or legacy protocols might be present. However, the lack of known exploits and the deprecated protocol's rarity reduce immediate widespread exploitation risk. Still, the vulnerability should be addressed promptly to prevent future exploitation, especially in sectors with high security requirements such as finance, energy, and government services across Europe.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that remove support for ETH_P_TR_802_2 and fix the uninitialized variable usage. Monitor vendor advisories for backported patches if using long-term support kernels. 2. Network filtering: Implement network-level filtering to block or drop packets with the ETH_P_TR_802_2 protocol type on perimeter and internal firewalls to reduce exposure. 3. Disable unused protocols: Audit and disable legacy or deprecated network protocols and interfaces that are not required in your environment, minimizing attack surface. 4. Harden virtual interfaces: For virtualized environments using TUN/TAP devices, ensure they are updated and properly configured to prevent injection of crafted packets exploiting this vulnerability. 5. Monitoring and detection: Deploy kernel integrity monitoring and network anomaly detection to identify unusual LLC traffic or kernel crashes that may indicate exploitation attempts. 6. Incident response readiness: Prepare to respond to potential denial of service or kernel panic incidents by maintaining backups and recovery procedures for critical Linux systems. 7. Vendor coordination: Engage with Linux distribution vendors to confirm patch availability and deployment timelines, especially for embedded or specialized Linux systems common in industrial or telecom sectors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.136Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe4230
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:26:57 PM
Last updated: 7/31/2025, 7:46:38 AM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.