CVE-2024-26953: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: esp: fix bad handling of pages from page_pool When the skb is reorganized during esp_output (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through put_page. But if the skb fragment pages are originating from a page_pool, calling put_page on them will trigger a page_pool leak which will eventually result in a crash. This leak can be easily observed when using CONFIG_DEBUG_VM and doing ipsec + gre (non offloaded) forwarding: BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x36/0x50 bad_page+0x70/0xf0 free_unref_page_prepare+0x27a/0x460 free_unref_page+0x38/0x120 esp_ssg_unref.isra.0+0x15f/0x200 esp_output_tail+0x66d/0x780 esp_xmit+0x2c5/0x360 validate_xmit_xfrm+0x313/0x370 ? validate_xmit_skb+0x1d/0x330 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x23e/0x350 __dev_queue_xmit+0x337/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x25e/0x580 iptunnel_xmit+0x19b/0x240 ip_tunnel_xmit+0x5fb/0xb60 ipgre_xmit+0x14d/0x280 [ip_gre] dev_hard_start_xmit+0xc3/0x1c0 __dev_queue_xmit+0x208/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x1ca/0x580 ip_sublist_rcv_finish+0x32/0x40 ip_sublist_rcv+0x1b2/0x1f0 ? ip_rcv_finish_core.constprop.0+0x460/0x460 ip_list_rcv+0x103/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x1b3/0x2c0 napi_gro_receive+0xc8/0x200 gro_cell_poll+0x52/0x90 __napi_poll+0x25/0x1a0 net_rx_action+0x28e/0x300 __do_softirq+0xc3/0x276 ? sort_range+0x20/0x20 run_ksoftirqd+0x1e/0x30 smpboot_thread_fn+0xa6/0x130 kthread+0xcd/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x31/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> The suggested fix is to introduce a new wrapper (skb_page_unref) that covers page refcounting for page_pool pages as well.
AI Analysis
Technical Summary
CVE-2024-26953 is a vulnerability in the Linux kernel's networking stack, specifically in the handling of IPsec ESP (Encapsulating Security Payload) packets when combined with GRE (Generic Routing Encapsulation) forwarding that is not offloaded. The flaw arises in the esp_output function when the skb (socket buffer) is reorganized and the pages backing the skb fragments originate from a page_pool allocator. Normally, when skb fragments are released, the pages are returned to the system via put_page. However, if these pages come from a page_pool, calling put_page on them incorrectly causes a leak in the page_pool reference count. This leak accumulates over time and eventually leads to a kernel crash due to a bad page state, as evidenced by the kernel BUG message and page dump in the provided trace. The issue is triggered under configurations with CONFIG_DEBUG_VM enabled and during IPsec + GRE forwarding scenarios that are not offloaded to hardware. The root cause is improper reference counting for page_pool pages during skb fragment release. The proposed fix involves introducing a wrapper function skb_page_unref that correctly handles reference counting for page_pool pages, preventing the leak and subsequent crash. This vulnerability affects Linux kernel versions around the 6.8.0-rc4+ development branch and likely other versions with similar code. No known exploits are reported in the wild yet, but the vulnerability can cause denial of service through kernel crashes in affected systems handling IPsec GRE traffic. The vulnerability does not require user interaction or authentication, as it is triggered by normal packet processing in the kernel networking stack.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected versions that handle IPsec ESP traffic encapsulated within GRE tunnels, especially in environments using software-based IPsec + GRE forwarding without hardware offloading. Such configurations are common in enterprise VPN gateways, cloud infrastructure, and network appliances that rely on Linux for secure tunneling and routing. A successful exploitation leads to kernel crashes causing denial of service, potentially disrupting critical network connectivity and secure communications. This can impact availability of VPN services, inter-site connectivity, and cloud workloads relying on these tunnels. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that depend on secure Linux-based networking could face operational outages and increased incident response costs. Although no direct data confidentiality or integrity compromise is indicated, the denial of service could be leveraged as part of larger attack campaigns to degrade network defenses or cause cascading failures. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain vulnerable to accidental or targeted crashes.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that introduces skb_page_unref to correctly handle page_pool page reference counting is the primary mitigation. Organizations should track kernel updates from trusted sources and deploy them promptly. 2. For environments where immediate patching is not feasible, consider disabling or avoiding configurations that combine IPsec ESP with GRE forwarding without hardware offload, if possible, to reduce exposure. 3. Monitor kernel logs for signs of page_pool leaks or kernel BUG messages related to bad page states, which may indicate attempted exploitation or accidental triggering. 4. Employ kernel live patching solutions where available to apply fixes without downtime. 5. Harden network segmentation and limit exposure of vulnerable Linux systems to untrusted networks to reduce risk of triggering the vulnerability remotely. 6. Validate and test VPN and tunneling configurations for stability under load and during IPsec + GRE traffic to detect potential issues early. 7. Maintain robust backup and recovery procedures to minimize impact of potential denial of service incidents caused by kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26953: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: esp: fix bad handling of pages from page_pool When the skb is reorganized during esp_output (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through put_page. But if the skb fragment pages are originating from a page_pool, calling put_page on them will trigger a page_pool leak which will eventually result in a crash. This leak can be easily observed when using CONFIG_DEBUG_VM and doing ipsec + gre (non offloaded) forwarding: BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x36/0x50 bad_page+0x70/0xf0 free_unref_page_prepare+0x27a/0x460 free_unref_page+0x38/0x120 esp_ssg_unref.isra.0+0x15f/0x200 esp_output_tail+0x66d/0x780 esp_xmit+0x2c5/0x360 validate_xmit_xfrm+0x313/0x370 ? validate_xmit_skb+0x1d/0x330 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x23e/0x350 __dev_queue_xmit+0x337/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x25e/0x580 iptunnel_xmit+0x19b/0x240 ip_tunnel_xmit+0x5fb/0xb60 ipgre_xmit+0x14d/0x280 [ip_gre] dev_hard_start_xmit+0xc3/0x1c0 __dev_queue_xmit+0x208/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x1ca/0x580 ip_sublist_rcv_finish+0x32/0x40 ip_sublist_rcv+0x1b2/0x1f0 ? ip_rcv_finish_core.constprop.0+0x460/0x460 ip_list_rcv+0x103/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x1b3/0x2c0 napi_gro_receive+0xc8/0x200 gro_cell_poll+0x52/0x90 __napi_poll+0x25/0x1a0 net_rx_action+0x28e/0x300 __do_softirq+0xc3/0x276 ? sort_range+0x20/0x20 run_ksoftirqd+0x1e/0x30 smpboot_thread_fn+0xa6/0x130 kthread+0xcd/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x31/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> The suggested fix is to introduce a new wrapper (skb_page_unref) that covers page refcounting for page_pool pages as well.
AI-Powered Analysis
Technical Analysis
CVE-2024-26953 is a vulnerability in the Linux kernel's networking stack, specifically in the handling of IPsec ESP (Encapsulating Security Payload) packets when combined with GRE (Generic Routing Encapsulation) forwarding that is not offloaded. The flaw arises in the esp_output function when the skb (socket buffer) is reorganized and the pages backing the skb fragments originate from a page_pool allocator. Normally, when skb fragments are released, the pages are returned to the system via put_page. However, if these pages come from a page_pool, calling put_page on them incorrectly causes a leak in the page_pool reference count. This leak accumulates over time and eventually leads to a kernel crash due to a bad page state, as evidenced by the kernel BUG message and page dump in the provided trace. The issue is triggered under configurations with CONFIG_DEBUG_VM enabled and during IPsec + GRE forwarding scenarios that are not offloaded to hardware. The root cause is improper reference counting for page_pool pages during skb fragment release. The proposed fix involves introducing a wrapper function skb_page_unref that correctly handles reference counting for page_pool pages, preventing the leak and subsequent crash. This vulnerability affects Linux kernel versions around the 6.8.0-rc4+ development branch and likely other versions with similar code. No known exploits are reported in the wild yet, but the vulnerability can cause denial of service through kernel crashes in affected systems handling IPsec GRE traffic. The vulnerability does not require user interaction or authentication, as it is triggered by normal packet processing in the kernel networking stack.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected versions that handle IPsec ESP traffic encapsulated within GRE tunnels, especially in environments using software-based IPsec + GRE forwarding without hardware offloading. Such configurations are common in enterprise VPN gateways, cloud infrastructure, and network appliances that rely on Linux for secure tunneling and routing. A successful exploitation leads to kernel crashes causing denial of service, potentially disrupting critical network connectivity and secure communications. This can impact availability of VPN services, inter-site connectivity, and cloud workloads relying on these tunnels. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that depend on secure Linux-based networking could face operational outages and increased incident response costs. Although no direct data confidentiality or integrity compromise is indicated, the denial of service could be leveraged as part of larger attack campaigns to degrade network defenses or cause cascading failures. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain vulnerable to accidental or targeted crashes.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that introduces skb_page_unref to correctly handle page_pool page reference counting is the primary mitigation. Organizations should track kernel updates from trusted sources and deploy them promptly. 2. For environments where immediate patching is not feasible, consider disabling or avoiding configurations that combine IPsec ESP with GRE forwarding without hardware offload, if possible, to reduce exposure. 3. Monitor kernel logs for signs of page_pool leaks or kernel BUG messages related to bad page states, which may indicate attempted exploitation or accidental triggering. 4. Employ kernel live patching solutions where available to apply fixes without downtime. 5. Harden network segmentation and limit exposure of vulnerable Linux systems to untrusted networks to reduce risk of triggering the vulnerability remotely. 6. Validate and test VPN and tunneling configurations for stability under load and during IPsec + GRE traffic to detect potential issues early. 7. Maintain robust backup and recovery procedures to minimize impact of potential denial of service incidents caused by kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.200Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2f12
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:27:52 PM
Last updated: 7/27/2025, 1:39:29 AM
Views: 10
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.