CVE-2024-26805: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated---
AI Analysis
Technical Summary
CVE-2024-26805 is a vulnerability identified in the Linux kernel's netlink subsystem, specifically within the __skb_datagram_iter function. The issue arises due to improper handling of buffer length when creating a new socket buffer (skb) in the netlink_to_full_skb() function. The vulnerability is caused by using skb->end, which represents the buffer offset including both data and tailroom, instead of skb->len, which correctly indicates the actual data length. Because the tailroom is uninitialized memory, copying data based on skb->end results in uninitialized memory being accessed and potentially leaked. This is detected by Kernel Memory Sanitizer (KMSAN) as a kernel-infoleak-after-free bug. The flaw can lead to exposure of kernel memory contents to user space, violating confidentiality. The vulnerability is rooted in a logic error in length calculation during skb data copying, which can be triggered by netlink messages. The detailed kernel call stack shows the propagation of the flaw through various kernel functions related to socket message handling and memory copying. The patch corrects the length parameter from skb->end to skb->len, preventing uninitialized memory from being copied. No known exploits are reported in the wild as of the publication date. The affected versions include multiple Linux kernel commits identified by their hashes, indicating that this is a recent and actively maintained codebase issue. The vulnerability does not require authentication or user interaction but depends on the ability to send crafted netlink messages to the kernel. This vulnerability is a classic example of an info-leak through uninitialized memory exposure in kernel networking code, which can be leveraged by attackers to gain sensitive information about kernel memory layout or contents, potentially aiding further exploitation.
Potential Impact
For European organizations, the impact of CVE-2024-26805 can be significant, particularly for those relying heavily on Linux-based infrastructure, including servers, networking equipment, and embedded systems. The vulnerability allows an attacker with local or network access to leak uninitialized kernel memory, potentially exposing sensitive information such as cryptographic keys, passwords, or other confidential data residing in kernel memory. This compromises confidentiality and can facilitate privilege escalation or further attacks. Organizations in sectors like finance, healthcare, government, and critical infrastructure, which often use Linux servers and appliances, are at risk of data breaches or system compromise. The vulnerability affects the Linux kernel, which is widely deployed across Europe in enterprise environments, cloud providers, and IoT devices. Although no exploits are currently known in the wild, the presence of an info-leak vulnerability in kernel networking code is a serious concern, as it lowers the barrier for attackers to develop more advanced exploits. The potential for lateral movement within networks and escalation of privileges means that the overall security posture of affected organizations could be weakened if unpatched. Additionally, compliance with European data protection regulations (e.g., GDPR) could be impacted if sensitive data is leaked due to exploitation of this vulnerability.
Mitigation Recommendations
To mitigate CVE-2024-26805, European organizations should prioritize the following actions: 1) Apply the official Linux kernel patches that correct the skb length calculation from skb->end to skb->len as soon as they become available from trusted Linux distribution vendors or upstream kernel sources. 2) For environments where immediate patching is not feasible, implement strict network segmentation and firewall rules to restrict access to netlink sockets, limiting exposure to untrusted users or processes. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the risk of successful exploitation. 4) Monitor system logs and network traffic for unusual netlink message activity that could indicate attempts to exploit this vulnerability. 5) Conduct vulnerability scanning and penetration testing focused on kernel info-leak vectors to identify potential exposure. 6) Educate system administrators about the risks of unpatched kernel vulnerabilities and the importance of timely updates. 7) For critical systems, consider deploying intrusion detection systems capable of detecting anomalous kernel memory access patterns. These steps go beyond generic advice by focusing on controlling netlink socket access, monitoring for exploitation attempts, and leveraging kernel hardening features specific to Linux.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26805: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26805 is a vulnerability identified in the Linux kernel's netlink subsystem, specifically within the __skb_datagram_iter function. The issue arises due to improper handling of buffer length when creating a new socket buffer (skb) in the netlink_to_full_skb() function. The vulnerability is caused by using skb->end, which represents the buffer offset including both data and tailroom, instead of skb->len, which correctly indicates the actual data length. Because the tailroom is uninitialized memory, copying data based on skb->end results in uninitialized memory being accessed and potentially leaked. This is detected by Kernel Memory Sanitizer (KMSAN) as a kernel-infoleak-after-free bug. The flaw can lead to exposure of kernel memory contents to user space, violating confidentiality. The vulnerability is rooted in a logic error in length calculation during skb data copying, which can be triggered by netlink messages. The detailed kernel call stack shows the propagation of the flaw through various kernel functions related to socket message handling and memory copying. The patch corrects the length parameter from skb->end to skb->len, preventing uninitialized memory from being copied. No known exploits are reported in the wild as of the publication date. The affected versions include multiple Linux kernel commits identified by their hashes, indicating that this is a recent and actively maintained codebase issue. The vulnerability does not require authentication or user interaction but depends on the ability to send crafted netlink messages to the kernel. This vulnerability is a classic example of an info-leak through uninitialized memory exposure in kernel networking code, which can be leveraged by attackers to gain sensitive information about kernel memory layout or contents, potentially aiding further exploitation.
Potential Impact
For European organizations, the impact of CVE-2024-26805 can be significant, particularly for those relying heavily on Linux-based infrastructure, including servers, networking equipment, and embedded systems. The vulnerability allows an attacker with local or network access to leak uninitialized kernel memory, potentially exposing sensitive information such as cryptographic keys, passwords, or other confidential data residing in kernel memory. This compromises confidentiality and can facilitate privilege escalation or further attacks. Organizations in sectors like finance, healthcare, government, and critical infrastructure, which often use Linux servers and appliances, are at risk of data breaches or system compromise. The vulnerability affects the Linux kernel, which is widely deployed across Europe in enterprise environments, cloud providers, and IoT devices. Although no exploits are currently known in the wild, the presence of an info-leak vulnerability in kernel networking code is a serious concern, as it lowers the barrier for attackers to develop more advanced exploits. The potential for lateral movement within networks and escalation of privileges means that the overall security posture of affected organizations could be weakened if unpatched. Additionally, compliance with European data protection regulations (e.g., GDPR) could be impacted if sensitive data is leaked due to exploitation of this vulnerability.
Mitigation Recommendations
To mitigate CVE-2024-26805, European organizations should prioritize the following actions: 1) Apply the official Linux kernel patches that correct the skb length calculation from skb->end to skb->len as soon as they become available from trusted Linux distribution vendors or upstream kernel sources. 2) For environments where immediate patching is not feasible, implement strict network segmentation and firewall rules to restrict access to netlink sockets, limiting exposure to untrusted users or processes. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the risk of successful exploitation. 4) Monitor system logs and network traffic for unusual netlink message activity that could indicate attempts to exploit this vulnerability. 5) Conduct vulnerability scanning and penetration testing focused on kernel info-leak vectors to identify potential exposure. 6) Educate system administrators about the risks of unpatched kernel vulnerabilities and the importance of timely updates. 7) For critical systems, consider deploying intrusion detection systems capable of detecting anomalous kernel memory access patterns. These steps go beyond generic advice by focusing on controlling netlink socket access, monitoring for exploitation attempts, and leveraging kernel hardening features specific to Linux.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.179Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddac0
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:39:57 AM
Last updated: 8/19/2025, 10:08:38 PM
Views: 16
Related Threats
CVE-2025-9193: Open Redirect in TOTVS Portal Meu RH
MediumCVE-2025-9176: OS Command Injection in neurobin shc
MediumCVE-2025-9175: Stack-based Buffer Overflow in neurobin shc
MediumCVE-2025-9174: OS Command Injection in neurobin shc
MediumCVE-2025-9171: Cross Site Scripting in SolidInvoice
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.