CVE-2024-26733: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK>
AI Analysis
Technical Summary
CVE-2024-26733 is a vulnerability identified in the Linux kernel's ARP (Address Resolution Protocol) implementation, specifically within the arp_req_get() function. This function is invoked when the ioctl system call with the SIOCGARP command is issued, which is used to retrieve ARP table entries. The vulnerability arises due to an overflow in the memcpy operation that copies the hardware address (neigh->ha) into the arpreq structure's arp_ha.sa_data field. The arp_ha field is defined as a struct sockaddr, which allocates only 14 bytes for sa_data. However, the memcpy operation attempts to copy more bytes than this buffer can hold, particularly when the device's address length (dev->addr_len) exceeds 22 bytes, such as when MAX_ADDR_LEN is used. This overflow can overwrite adjacent fields in the arpreq structure, notably arp_flags and arp_netmask. Although the arp_flags field is initialized immediately after the memcpy, preventing immediate corruption, the overflow into arp_netmask can lead to incorrect values being set, potentially affecting ARP behavior. The vulnerability was detected by the syzkaller fuzzing tool, which reported a field-spanning write warning. The root cause is the mismatch between the fixed size of sa_data and the variable length of hardware addresses. The Linux kernel commit referenced (b5f0de6df6dc) attempted to silence the syzkaller warning by converting sa_data to a flexible array, but this did not fully resolve the underlying overflow risk. The fix involves limiting the maximum length of the memcpy operation to prevent overflow beyond the 14-byte buffer. This vulnerability affects Linux kernel versions prior to the patch and can be triggered by local users issuing ioctl calls to retrieve ARP entries. The detailed kernel stack trace and debugging information confirm the overflow occurs at net/ipv4/arp.c line 1128. No known exploits are reported in the wild as of the publication date (April 3, 2024).
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily in environments where local users or processes can issue ioctl calls to the kernel's networking stack. Exploitation could lead to memory corruption within the kernel space, potentially causing system instability, crashes (denial of service), or in some cases, escalation of privileges if the overflow can be leveraged to execute arbitrary code. Given that ARP is fundamental to network communication, any disruption or manipulation could affect network reliability and security. Systems running Linux kernels with affected versions, especially those with network devices having hardware addresses longer than 22 bytes, are at risk. This includes servers, network appliances, and embedded devices commonly used in European enterprises and critical infrastructure. The vulnerability does not require remote network access or user interaction beyond local ioctl invocation, limiting its exposure to local attackers or compromised accounts. However, in multi-tenant or shared environments such as cloud providers or hosting services prevalent in Europe, the risk of lateral movement or privilege escalation increases. The absence of known exploits reduces immediate threat but patching is critical to prevent future exploitation. Disruption of ARP functionality could also impact network operations in sectors like finance, manufacturing, and telecommunications, which are vital to European economies.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-26733. Specifically, ensure that kernels are updated beyond the commit that limits the memcpy length in arp_req_get(). For environments where immediate patching is not feasible, restrict access to ioctl system calls related to ARP by enforcing strict user permissions and using security modules like SELinux or AppArmor to limit capabilities of untrusted processes. Network devices with hardware addresses exceeding standard lengths should be audited and monitored closely. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation potential. Additionally, implement runtime monitoring for unusual ioctl calls or kernel crashes that could indicate attempted exploitation. For cloud and multi-tenant environments, isolate workloads and enforce strict privilege separation to minimize impact. Regularly review and update intrusion detection systems to recognize anomalous kernel behavior related to ARP operations. Finally, maintain an incident response plan that includes kernel vulnerability management and rapid patch deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Finland
CVE-2024-26733: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-26733 is a vulnerability identified in the Linux kernel's ARP (Address Resolution Protocol) implementation, specifically within the arp_req_get() function. This function is invoked when the ioctl system call with the SIOCGARP command is issued, which is used to retrieve ARP table entries. The vulnerability arises due to an overflow in the memcpy operation that copies the hardware address (neigh->ha) into the arpreq structure's arp_ha.sa_data field. The arp_ha field is defined as a struct sockaddr, which allocates only 14 bytes for sa_data. However, the memcpy operation attempts to copy more bytes than this buffer can hold, particularly when the device's address length (dev->addr_len) exceeds 22 bytes, such as when MAX_ADDR_LEN is used. This overflow can overwrite adjacent fields in the arpreq structure, notably arp_flags and arp_netmask. Although the arp_flags field is initialized immediately after the memcpy, preventing immediate corruption, the overflow into arp_netmask can lead to incorrect values being set, potentially affecting ARP behavior. The vulnerability was detected by the syzkaller fuzzing tool, which reported a field-spanning write warning. The root cause is the mismatch between the fixed size of sa_data and the variable length of hardware addresses. The Linux kernel commit referenced (b5f0de6df6dc) attempted to silence the syzkaller warning by converting sa_data to a flexible array, but this did not fully resolve the underlying overflow risk. The fix involves limiting the maximum length of the memcpy operation to prevent overflow beyond the 14-byte buffer. This vulnerability affects Linux kernel versions prior to the patch and can be triggered by local users issuing ioctl calls to retrieve ARP entries. The detailed kernel stack trace and debugging information confirm the overflow occurs at net/ipv4/arp.c line 1128. No known exploits are reported in the wild as of the publication date (April 3, 2024).
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily in environments where local users or processes can issue ioctl calls to the kernel's networking stack. Exploitation could lead to memory corruption within the kernel space, potentially causing system instability, crashes (denial of service), or in some cases, escalation of privileges if the overflow can be leveraged to execute arbitrary code. Given that ARP is fundamental to network communication, any disruption or manipulation could affect network reliability and security. Systems running Linux kernels with affected versions, especially those with network devices having hardware addresses longer than 22 bytes, are at risk. This includes servers, network appliances, and embedded devices commonly used in European enterprises and critical infrastructure. The vulnerability does not require remote network access or user interaction beyond local ioctl invocation, limiting its exposure to local attackers or compromised accounts. However, in multi-tenant or shared environments such as cloud providers or hosting services prevalent in Europe, the risk of lateral movement or privilege escalation increases. The absence of known exploits reduces immediate threat but patching is critical to prevent future exploitation. Disruption of ARP functionality could also impact network operations in sectors like finance, manufacturing, and telecommunications, which are vital to European economies.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-26733. Specifically, ensure that kernels are updated beyond the commit that limits the memcpy length in arp_req_get(). For environments where immediate patching is not feasible, restrict access to ioctl system calls related to ARP by enforcing strict user permissions and using security modules like SELinux or AppArmor to limit capabilities of untrusted processes. Network devices with hardware addresses exceeding standard lengths should be audited and monitored closely. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation potential. Additionally, implement runtime monitoring for unusual ioctl calls or kernel crashes that could indicate attempted exploitation. For cloud and multi-tenant environments, isolate workloads and enforce strict privilege separation to minimize impact. Regularly review and update intrusion detection systems to recognize anomalous kernel behavior related to ARP operations. Finally, maintain an incident response plan that includes kernel vulnerability management and rapid patch deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.165Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3993
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:56:20 PM
Last updated: 7/30/2025, 9:41:22 PM
Views: 11
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.