CVE-2024-26803: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.
AI Analysis
Technical Summary
CVE-2024-26803 is a vulnerability in the Linux kernel's virtual Ethernet (veth) driver related to the handling of Generic Receive Offload (GRO) flags when the eXpress Data Path (XDP) feature is enabled or disabled. The veth driver automatically sets the NETIF_F_GRO flag when XDP is enabled because both features share the same NAPI (New API) machinery for packet processing. The vulnerability arises from flawed logic in the veth_disable_xdp() function, which is responsible for clearing the GRO flag. This function is called both when the network device is stopped (ndo_stop) and when XDP is disabled. To prevent clearing the GRO flag when the device is down, the code skips clearing if the interface is not up (IFF_UP flag not set). However, this logic also skips clearing the GRO flag when XDP is disabled while the device is down, leading to a state where the GRO flag remains set without corresponding NAPI instances being active. This inconsistency causes a 'stray' GRO flag. Although the data path does not rely on the GRO flag, the system will crash or hang the next time the device features are synchronized, such as when a user runs ethtool or a peer changes its configuration. During synchronization, the GRO flag is cleared, and veth attempts to disable NAPI instances that were never created, resulting in either a hang in napi_disable() if NAPI was previously initialized or a crash when stopping an uninitialized hrtimer. The patch moves GRO flag updates exclusively to the XDP enable/disable paths, decoupling them from the device open/close paths, thereby preventing the flag from becoming inconsistent with the actual NAPI state. This vulnerability affects Linux kernel versions identified by the commit hash d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c and was published on April 4, 2024. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected veth driver implementation, especially those utilizing XDP for high-performance packet processing in containerized or virtualized environments. The impact includes potential system crashes or hangs triggered by routine network configuration changes or feature synchronizations, leading to denial of service (DoS) conditions. This can disrupt critical network functions, affecting availability and potentially causing downtime in data centers, cloud infrastructure, or enterprise networks relying on Linux-based networking stacks. Since veth interfaces are commonly used in container networking (e.g., Docker, Kubernetes), organizations leveraging container orchestration may experience service interruptions. Confidentiality and integrity impacts are minimal as the vulnerability does not directly allow code execution or privilege escalation but could indirectly affect availability. The lack of known exploits reduces immediate risk, but the complexity of the bug means that inadvertent network configuration changes could trigger instability, complicating network management and operational continuity.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched version that addresses CVE-2024-26803 as soon as it becomes available from their Linux distribution vendors. Specifically, kernel updates that move GRO flag management exclusively to XDP enable/disable paths should be applied. In the interim, administrators should avoid disabling XDP while the veth device is down and minimize network interface state changes that could trigger feature synchronization. Monitoring tools should be enhanced to detect unusual network interface state transitions or crashes related to veth devices. Container orchestration platforms should be configured to limit disruptive network reconfigurations and ensure rolling updates to kernel versions. Additionally, organizations should audit their use of veth interfaces and XDP to assess exposure and consider isolating critical workloads from affected kernel versions. Implementing robust backup and recovery procedures will help mitigate downtime caused by potential crashes. Finally, maintaining close communication with Linux distribution security advisories and applying vendor patches promptly is essential.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26803: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.
AI-Powered Analysis
Technical Analysis
CVE-2024-26803 is a vulnerability in the Linux kernel's virtual Ethernet (veth) driver related to the handling of Generic Receive Offload (GRO) flags when the eXpress Data Path (XDP) feature is enabled or disabled. The veth driver automatically sets the NETIF_F_GRO flag when XDP is enabled because both features share the same NAPI (New API) machinery for packet processing. The vulnerability arises from flawed logic in the veth_disable_xdp() function, which is responsible for clearing the GRO flag. This function is called both when the network device is stopped (ndo_stop) and when XDP is disabled. To prevent clearing the GRO flag when the device is down, the code skips clearing if the interface is not up (IFF_UP flag not set). However, this logic also skips clearing the GRO flag when XDP is disabled while the device is down, leading to a state where the GRO flag remains set without corresponding NAPI instances being active. This inconsistency causes a 'stray' GRO flag. Although the data path does not rely on the GRO flag, the system will crash or hang the next time the device features are synchronized, such as when a user runs ethtool or a peer changes its configuration. During synchronization, the GRO flag is cleared, and veth attempts to disable NAPI instances that were never created, resulting in either a hang in napi_disable() if NAPI was previously initialized or a crash when stopping an uninitialized hrtimer. The patch moves GRO flag updates exclusively to the XDP enable/disable paths, decoupling them from the device open/close paths, thereby preventing the flag from becoming inconsistent with the actual NAPI state. This vulnerability affects Linux kernel versions identified by the commit hash d3256efd8e8b234a6251e4d4580bd2c3c31fdc4c and was published on April 4, 2024. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected veth driver implementation, especially those utilizing XDP for high-performance packet processing in containerized or virtualized environments. The impact includes potential system crashes or hangs triggered by routine network configuration changes or feature synchronizations, leading to denial of service (DoS) conditions. This can disrupt critical network functions, affecting availability and potentially causing downtime in data centers, cloud infrastructure, or enterprise networks relying on Linux-based networking stacks. Since veth interfaces are commonly used in container networking (e.g., Docker, Kubernetes), organizations leveraging container orchestration may experience service interruptions. Confidentiality and integrity impacts are minimal as the vulnerability does not directly allow code execution or privilege escalation but could indirectly affect availability. The lack of known exploits reduces immediate risk, but the complexity of the bug means that inadvertent network configuration changes could trigger instability, complicating network management and operational continuity.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched version that addresses CVE-2024-26803 as soon as it becomes available from their Linux distribution vendors. Specifically, kernel updates that move GRO flag management exclusively to XDP enable/disable paths should be applied. In the interim, administrators should avoid disabling XDP while the veth device is down and minimize network interface state changes that could trigger feature synchronization. Monitoring tools should be enhanced to detect unusual network interface state transitions or crashes related to veth devices. Container orchestration platforms should be configured to limit disruptive network reconfigurations and ensure rolling updates to kernel versions. Additionally, organizations should audit their use of veth interfaces and XDP to assess exposure and consider isolating critical workloads from affected kernel versions. Implementing robust backup and recovery procedures will help mitigate downtime caused by potential crashes. Finally, maintaining close communication with Linux distribution security advisories and applying vendor patches promptly is essential.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.179Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3c44
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 6:55:02 PM
Last updated: 8/4/2025, 12:59:21 PM
Views: 17
Related Threats
CVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.