CVE-2024-26754: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() The gtp_net_ops pernet operations structure for the subsystem must be registered before registering the generic netlink family. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 RSP: 0018:ffff888014107220 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? show_regs+0x90/0xa0 ? die_addr+0x50/0xd0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? gtp_genl_dump_pdp+0x1be/0x800 [gtp] ? __alloc_skb+0x1dd/0x350 ? __pfx___alloc_skb+0x10/0x10 genl_dumpit+0x11d/0x230 netlink_dump+0x5b9/0xce0 ? lockdep_hardirqs_on_prepare+0x253/0x430 ? __pfx_netlink_dump+0x10/0x10 ? kasan_save_track+0x10/0x40 ? __kasan_kmalloc+0x9b/0xa0 ? genl_start+0x675/0x970 __netlink_dump_start+0x6fc/0x9f0 genl_family_rcv_msg_dumpit+0x1bb/0x2d0 ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10 ? genl_op_from_small+0x2a/0x440 ? cap_capable+0x1d0/0x240 ? __pfx_genl_start+0x10/0x10 ? __pfx_genl_dumpit+0x10/0x10 ? __pfx_genl_done+0x10/0x10 ? security_capable+0x9d/0xe0
AI Analysis
Technical Summary
CVE-2024-26754 is a vulnerability identified in the Linux kernel's GTP (GPRS Tunneling Protocol) subsystem, specifically within the gtp_genl_dump_pdp() function. The flaw involves a use-after-free and null pointer dereference condition triggered during the dumping of PDP (Packet Data Protocol) contexts via generic netlink operations. The vulnerability arises because the gtp_net_ops pernet operations structure is not properly registered before the generic netlink family registration, leading to improper memory handling. This can cause a general protection fault and kernel crash, as evidenced by the kernel panic logs showing a null pointer dereference and general protection fault in the gtp_genl_dump_pdp function. The issue was detected by Syzkaller, a kernel fuzzing tool, indicating that malformed or unexpected netlink messages can trigger this fault. The vulnerability affects Linux kernel versions prior to the fix applied around the 6.8.0-rc3 release cycle. While no public exploits are known in the wild yet, the flaw could be exploited by an attacker with the ability to send crafted netlink messages to the kernel's GTP subsystem, potentially causing denial of service (DoS) through kernel crashes. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but can impact system stability and availability. The GTP protocol is primarily used in mobile network infrastructure and devices that handle mobile data tunneling, such as cellular base stations, mobile routers, and network gateways. The vulnerability's exploitation requires local or network access to the affected subsystem, depending on the deployment context of the Linux kernel with GTP enabled.
Potential Impact
For European organizations, the impact of CVE-2024-26754 could be significant in sectors relying on Linux-based infrastructure for mobile network operations, telecommunications, and IoT devices that utilize GTP for data tunneling. Telecommunications providers operating 4G/5G core network components running Linux kernels with GTP support are at risk of service disruption due to kernel crashes triggered by this vulnerability. This could lead to denial of service conditions affecting mobile data services, impacting customer experience and potentially causing regulatory compliance issues. Enterprises using Linux-based network appliances or embedded systems with GTP enabled could face operational outages or degraded network performance. Additionally, critical infrastructure entities that depend on mobile communication networks for operational continuity may experience interruptions. Although no privilege escalation is indicated, the ability to cause kernel panics remotely or locally can be leveraged in targeted attacks to disrupt services or as part of a multi-stage attack chain. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. The vulnerability's impact on confidentiality and integrity is limited; however, availability is notably affected, which is critical for service providers and enterprises relying on continuous network uptime.
Mitigation Recommendations
To mitigate CVE-2024-26754, European organizations should prioritize updating their Linux kernel to the latest stable release that includes the patch fixing the gtp_genl_dump_pdp() vulnerability. Kernel upgrades should be tested in controlled environments to ensure compatibility with existing network infrastructure. For systems where immediate kernel updates are not feasible, organizations should consider disabling the GTP kernel module if it is not required for their operations to eliminate the attack surface. Network segmentation and strict access controls should be enforced to limit exposure of the GTP subsystem to untrusted networks or users. Monitoring and logging of netlink communications can help detect anomalous or malformed messages that may indicate exploitation attempts. Telecommunications providers should coordinate with vendors and upstream Linux maintainers to receive timely patches and advisories. Additionally, implementing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and enabling kernel lockdown features can reduce the risk of exploitation. Incident response plans should include procedures for rapid kernel patch deployment and system recovery in case of exploitation-induced crashes.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland
CVE-2024-26754: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() The gtp_net_ops pernet operations structure for the subsystem must be registered before registering the generic netlink family. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 RSP: 0018:ffff888014107220 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? show_regs+0x90/0xa0 ? die_addr+0x50/0xd0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? gtp_genl_dump_pdp+0x1be/0x800 [gtp] ? __alloc_skb+0x1dd/0x350 ? __pfx___alloc_skb+0x10/0x10 genl_dumpit+0x11d/0x230 netlink_dump+0x5b9/0xce0 ? lockdep_hardirqs_on_prepare+0x253/0x430 ? __pfx_netlink_dump+0x10/0x10 ? kasan_save_track+0x10/0x40 ? __kasan_kmalloc+0x9b/0xa0 ? genl_start+0x675/0x970 __netlink_dump_start+0x6fc/0x9f0 genl_family_rcv_msg_dumpit+0x1bb/0x2d0 ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10 ? genl_op_from_small+0x2a/0x440 ? cap_capable+0x1d0/0x240 ? __pfx_genl_start+0x10/0x10 ? __pfx_genl_dumpit+0x10/0x10 ? __pfx_genl_done+0x10/0x10 ? security_capable+0x9d/0xe0
AI-Powered Analysis
Technical Analysis
CVE-2024-26754 is a vulnerability identified in the Linux kernel's GTP (GPRS Tunneling Protocol) subsystem, specifically within the gtp_genl_dump_pdp() function. The flaw involves a use-after-free and null pointer dereference condition triggered during the dumping of PDP (Packet Data Protocol) contexts via generic netlink operations. The vulnerability arises because the gtp_net_ops pernet operations structure is not properly registered before the generic netlink family registration, leading to improper memory handling. This can cause a general protection fault and kernel crash, as evidenced by the kernel panic logs showing a null pointer dereference and general protection fault in the gtp_genl_dump_pdp function. The issue was detected by Syzkaller, a kernel fuzzing tool, indicating that malformed or unexpected netlink messages can trigger this fault. The vulnerability affects Linux kernel versions prior to the fix applied around the 6.8.0-rc3 release cycle. While no public exploits are known in the wild yet, the flaw could be exploited by an attacker with the ability to send crafted netlink messages to the kernel's GTP subsystem, potentially causing denial of service (DoS) through kernel crashes. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but can impact system stability and availability. The GTP protocol is primarily used in mobile network infrastructure and devices that handle mobile data tunneling, such as cellular base stations, mobile routers, and network gateways. The vulnerability's exploitation requires local or network access to the affected subsystem, depending on the deployment context of the Linux kernel with GTP enabled.
Potential Impact
For European organizations, the impact of CVE-2024-26754 could be significant in sectors relying on Linux-based infrastructure for mobile network operations, telecommunications, and IoT devices that utilize GTP for data tunneling. Telecommunications providers operating 4G/5G core network components running Linux kernels with GTP support are at risk of service disruption due to kernel crashes triggered by this vulnerability. This could lead to denial of service conditions affecting mobile data services, impacting customer experience and potentially causing regulatory compliance issues. Enterprises using Linux-based network appliances or embedded systems with GTP enabled could face operational outages or degraded network performance. Additionally, critical infrastructure entities that depend on mobile communication networks for operational continuity may experience interruptions. Although no privilege escalation is indicated, the ability to cause kernel panics remotely or locally can be leveraged in targeted attacks to disrupt services or as part of a multi-stage attack chain. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. The vulnerability's impact on confidentiality and integrity is limited; however, availability is notably affected, which is critical for service providers and enterprises relying on continuous network uptime.
Mitigation Recommendations
To mitigate CVE-2024-26754, European organizations should prioritize updating their Linux kernel to the latest stable release that includes the patch fixing the gtp_genl_dump_pdp() vulnerability. Kernel upgrades should be tested in controlled environments to ensure compatibility with existing network infrastructure. For systems where immediate kernel updates are not feasible, organizations should consider disabling the GTP kernel module if it is not required for their operations to eliminate the attack surface. Network segmentation and strict access controls should be enforced to limit exposure of the GTP subsystem to untrusted networks or users. Monitoring and logging of netlink communications can help detect anomalous or malformed messages that may indicate exploitation attempts. Telecommunications providers should coordinate with vendors and upstream Linux maintainers to receive timely patches and advisories. Additionally, implementing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and enabling kernel lockdown features can reduce the risk of exploitation. Incident response plans should include procedures for rapid kernel patch deployment and system recovery in case of exploitation-induced crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.170Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3a6a
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 6:11:28 PM
Last updated: 8/11/2025, 7:34:36 PM
Views: 11
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumResearcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.