CVE-2024-26641: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
AI Analysis
Technical Summary
CVE-2024-26641 is a vulnerability identified in the Linux kernel's IPv6 tunneling implementation, specifically within the function __ip6_tnl_rcv(). The issue arises from the kernel potentially accessing uninitialized data due to improper handling of the inner IPv6 header during packet decapsulation. The vulnerability was discovered by syzbot, an automated kernel fuzzer, which detected that __ip6_tnl_rcv() could operate on uninitialized memory, leading to undefined behavior. The root cause is the failure to call pskb_inet_may_pull() before accessing the inner header, which is necessary to ensure that the packet buffer (skb) has sufficient linear data and to prevent skb->head from being reallocated or changed. Without this call, the ipv6h variable may remain uninitialized, causing the kernel to process invalid data. This can lead to memory corruption or kernel crashes. The vulnerability is located in the IPv6 tunnel code path, which handles encapsulated IPv6 packets, commonly used in VPNs, tunneling protocols, and network virtualization. The detailed kernel stack trace shows the flow from packet reception through various IPv6 input and netfilter hooks, indicating that the flaw could be triggered by crafted network traffic. The vulnerability affects Linux kernel versions prior to the patch that introduced the call to pskb_inet_may_pull() and proper initialization of ipv6h. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. However, the nature of the flaw suggests it could be exploited remotely by sending specially crafted IPv6 tunneled packets to vulnerable systems, potentially causing denial of service or other unpredictable kernel behavior.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize IPv6 tunneling features. Many enterprises and service providers in Europe rely on Linux-based infrastructure for networking, cloud services, and virtualization, where IPv6 tunnels are common for secure communication and network segmentation. Exploitation could lead to kernel crashes (denial of service), impacting availability of critical services such as web servers, VPN gateways, and cloud platforms. In worst cases, memory corruption could be leveraged for privilege escalation or arbitrary code execution, although this requires further exploitation complexity. The impact is heightened in environments with high IPv6 traffic or where IPv6 tunnels are exposed to untrusted networks. Disruption of network services could affect financial institutions, government agencies, and critical infrastructure operators across Europe, leading to operational downtime and potential data loss. Additionally, the vulnerability could be exploited as part of multi-stage attacks targeting Linux servers, which are widely deployed in European data centers and cloud environments.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2024-26641. Specifically, ensure that the kernel version includes the call to pskb_inet_may_pull() in __ip6_tnl_rcv() and proper initialization of the ipv6h variable. For environments where immediate patching is not feasible, consider disabling IPv6 tunneling features if they are not required, to reduce the attack surface. Network administrators should implement strict ingress filtering and firewall rules to block unsolicited or suspicious IPv6 tunneled packets from untrusted sources. Monitoring network traffic for anomalies related to IPv6 tunnels can help detect exploitation attempts. Additionally, applying kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling kernel lockdown features can mitigate exploitation risks. Regular vulnerability scanning and penetration testing focusing on IPv6 tunnel handling should be conducted to identify potential weaknesses. Finally, maintain up-to-date incident response plans to quickly address any exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26641: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
AI-Powered Analysis
Technical Analysis
CVE-2024-26641 is a vulnerability identified in the Linux kernel's IPv6 tunneling implementation, specifically within the function __ip6_tnl_rcv(). The issue arises from the kernel potentially accessing uninitialized data due to improper handling of the inner IPv6 header during packet decapsulation. The vulnerability was discovered by syzbot, an automated kernel fuzzer, which detected that __ip6_tnl_rcv() could operate on uninitialized memory, leading to undefined behavior. The root cause is the failure to call pskb_inet_may_pull() before accessing the inner header, which is necessary to ensure that the packet buffer (skb) has sufficient linear data and to prevent skb->head from being reallocated or changed. Without this call, the ipv6h variable may remain uninitialized, causing the kernel to process invalid data. This can lead to memory corruption or kernel crashes. The vulnerability is located in the IPv6 tunnel code path, which handles encapsulated IPv6 packets, commonly used in VPNs, tunneling protocols, and network virtualization. The detailed kernel stack trace shows the flow from packet reception through various IPv6 input and netfilter hooks, indicating that the flaw could be triggered by crafted network traffic. The vulnerability affects Linux kernel versions prior to the patch that introduced the call to pskb_inet_may_pull() and proper initialization of ipv6h. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. However, the nature of the flaw suggests it could be exploited remotely by sending specially crafted IPv6 tunneled packets to vulnerable systems, potentially causing denial of service or other unpredictable kernel behavior.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize IPv6 tunneling features. Many enterprises and service providers in Europe rely on Linux-based infrastructure for networking, cloud services, and virtualization, where IPv6 tunnels are common for secure communication and network segmentation. Exploitation could lead to kernel crashes (denial of service), impacting availability of critical services such as web servers, VPN gateways, and cloud platforms. In worst cases, memory corruption could be leveraged for privilege escalation or arbitrary code execution, although this requires further exploitation complexity. The impact is heightened in environments with high IPv6 traffic or where IPv6 tunnels are exposed to untrusted networks. Disruption of network services could affect financial institutions, government agencies, and critical infrastructure operators across Europe, leading to operational downtime and potential data loss. Additionally, the vulnerability could be exploited as part of multi-stage attacks targeting Linux servers, which are widely deployed in European data centers and cloud environments.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2024-26641. Specifically, ensure that the kernel version includes the call to pskb_inet_may_pull() in __ip6_tnl_rcv() and proper initialization of the ipv6h variable. For environments where immediate patching is not feasible, consider disabling IPv6 tunneling features if they are not required, to reduce the attack surface. Network administrators should implement strict ingress filtering and firewall rules to block unsolicited or suspicious IPv6 tunneled packets from untrusted sources. Monitoring network traffic for anomalies related to IPv6 tunnels can help detect exploitation attempts. Additionally, applying kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling kernel lockdown features can mitigate exploitation risks. Regular vulnerability scanning and penetration testing focusing on IPv6 tunnel handling should be conducted to identify potential weaknesses. Finally, maintain up-to-date incident response plans to quickly address any exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.137Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe4260
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:39:32 PM
Last updated: 7/29/2025, 12:05:02 AM
Views: 9
Related Threats
CVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8987: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumCVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.