CVE-2024-26882: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b
AI Analysis
Technical Summary
CVE-2024-26882 is a medium-severity vulnerability identified in the Linux kernel's IPv4 IP tunnel implementation, specifically within the ip_tunnel_rcv() function. The vulnerability arises from improper handling of the inner packet headers during the decapsulation process of tunneled IP packets. The root cause is related to the failure to correctly pull and validate the inner network headers, which can lead to uninitialized memory usage as detected by Kernel Memory Sanitizer (KMSAN). The issue is analogous to previously fixed vulnerabilities in related tunneling protocols such as IPv6 tunnels and GENEVE tunnels, where similar header handling errors were corrected. The vulnerability manifests when the kernel processes tunneled packets, and the skb->network_header pointer is not properly saved and restored around calls to pskb_inet_may_pull(), a function that ensures the necessary packet headers are present in the skb buffer. This flaw can cause the kernel to operate on uninitialized data, potentially leading to kernel crashes or denial of service (DoS) conditions. The vulnerability does not affect confidentiality or integrity directly but impacts availability by causing system instability. Exploitation does not require privileges or user interaction, and the attack vector is network-based, as the flaw is triggered by specially crafted tunneled IP packets. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the denial of service impact and ease of exploitation over the network without authentication. No known exploits are reported in the wild as of the publication date. The fix involves saving the skb->network_header pointer before pulling headers and restoring it afterward to prevent uninitialized memory access during packet processing.
Potential Impact
For European organizations, the primary impact of CVE-2024-26882 is the potential for denial of service attacks against Linux-based systems that utilize IP tunneling features, such as GRE tunnels, IP-in-IP tunnels, or other encapsulation mechanisms. Many enterprises, cloud providers, and telecommunications operators in Europe rely on Linux servers and network devices for routing, VPN services, and network virtualization, which often use these tunneling protocols. An attacker could send crafted tunneled packets to vulnerable systems, causing kernel crashes and service interruptions. This could disrupt critical infrastructure, cloud services, or enterprise networks, leading to operational downtime and potential financial losses. While the vulnerability does not allow privilege escalation or data leakage, the availability impact can affect service continuity, especially in environments with high reliance on Linux networking stacks. Systems exposed to untrusted networks or the internet are at higher risk. Additionally, the vulnerability could be leveraged as part of a broader attack chain to degrade network infrastructure or cloud environments. Organizations in sectors such as finance, government, healthcare, and telecommunications in Europe should be particularly vigilant given their reliance on Linux-based networking.
Mitigation Recommendations
European organizations should implement the following specific mitigation measures: 1) Apply the official Linux kernel patches that address CVE-2024-26882 as soon as they become available from trusted sources or Linux distribution vendors. 2) For environments where immediate patching is not feasible, consider disabling or restricting the use of IP tunneling protocols (e.g., GRE, IP-in-IP) on exposed interfaces to reduce the attack surface. 3) Employ network-level filtering to block or rate-limit suspicious tunneled IP packets from untrusted sources, using firewalls or intrusion prevention systems capable of deep packet inspection. 4) Monitor kernel logs and system stability metrics for signs of crashes or anomalies related to network packet processing. 5) In virtualized or containerized environments, ensure that host kernels are updated promptly, as guest systems may rely on host kernel networking. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Coordinate with Linux distribution vendors and cloud providers to confirm patch availability and deployment timelines. These targeted actions go beyond generic advice by focusing on the tunneling protocols involved and network filtering strategies specific to the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26882: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b
AI-Powered Analysis
Technical Analysis
CVE-2024-26882 is a medium-severity vulnerability identified in the Linux kernel's IPv4 IP tunnel implementation, specifically within the ip_tunnel_rcv() function. The vulnerability arises from improper handling of the inner packet headers during the decapsulation process of tunneled IP packets. The root cause is related to the failure to correctly pull and validate the inner network headers, which can lead to uninitialized memory usage as detected by Kernel Memory Sanitizer (KMSAN). The issue is analogous to previously fixed vulnerabilities in related tunneling protocols such as IPv6 tunnels and GENEVE tunnels, where similar header handling errors were corrected. The vulnerability manifests when the kernel processes tunneled packets, and the skb->network_header pointer is not properly saved and restored around calls to pskb_inet_may_pull(), a function that ensures the necessary packet headers are present in the skb buffer. This flaw can cause the kernel to operate on uninitialized data, potentially leading to kernel crashes or denial of service (DoS) conditions. The vulnerability does not affect confidentiality or integrity directly but impacts availability by causing system instability. Exploitation does not require privileges or user interaction, and the attack vector is network-based, as the flaw is triggered by specially crafted tunneled IP packets. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the denial of service impact and ease of exploitation over the network without authentication. No known exploits are reported in the wild as of the publication date. The fix involves saving the skb->network_header pointer before pulling headers and restoring it afterward to prevent uninitialized memory access during packet processing.
Potential Impact
For European organizations, the primary impact of CVE-2024-26882 is the potential for denial of service attacks against Linux-based systems that utilize IP tunneling features, such as GRE tunnels, IP-in-IP tunnels, or other encapsulation mechanisms. Many enterprises, cloud providers, and telecommunications operators in Europe rely on Linux servers and network devices for routing, VPN services, and network virtualization, which often use these tunneling protocols. An attacker could send crafted tunneled packets to vulnerable systems, causing kernel crashes and service interruptions. This could disrupt critical infrastructure, cloud services, or enterprise networks, leading to operational downtime and potential financial losses. While the vulnerability does not allow privilege escalation or data leakage, the availability impact can affect service continuity, especially in environments with high reliance on Linux networking stacks. Systems exposed to untrusted networks or the internet are at higher risk. Additionally, the vulnerability could be leveraged as part of a broader attack chain to degrade network infrastructure or cloud environments. Organizations in sectors such as finance, government, healthcare, and telecommunications in Europe should be particularly vigilant given their reliance on Linux-based networking.
Mitigation Recommendations
European organizations should implement the following specific mitigation measures: 1) Apply the official Linux kernel patches that address CVE-2024-26882 as soon as they become available from trusted sources or Linux distribution vendors. 2) For environments where immediate patching is not feasible, consider disabling or restricting the use of IP tunneling protocols (e.g., GRE, IP-in-IP) on exposed interfaces to reduce the attack surface. 3) Employ network-level filtering to block or rate-limit suspicious tunneled IP packets from untrusted sources, using firewalls or intrusion prevention systems capable of deep packet inspection. 4) Monitor kernel logs and system stability metrics for signs of crashes or anomalies related to network packet processing. 5) In virtualized or containerized environments, ensure that host kernels are updated promptly, as guest systems may rely on host kernel networking. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Coordinate with Linux distribution vendors and cloud providers to confirm patch availability and deployment timelines. These targeted actions go beyond generic advice by focusing on the tunneling protocols involved and network filtering strategies specific to the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.185Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3e60
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:55:50 PM
Last updated: 8/13/2025, 9:50:00 AM
Views: 13
Related Threats
CVE-2025-8938: Backdoor in TOTOLINK N350R
MediumCVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.