CVE-2024-35841: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: tls, fix WARNIING in __sk_msg_free A splice with MSG_SPLICE_PAGES will cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user provided pages from the msg into the msg_pl. This will loop over the msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer. If the user adds more pages to the msg than can fit in the msg_pl scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways. What actually happens though is we abort the msg to msg_pl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msg_data_left(msg) has more bytes to send and then attempts to fit them in the already full msg_pl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report. To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag.
AI Analysis
Technical Summary
CVE-2024-35841 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the TLS (Transport Layer Security) sendmsg implementation that handles splicing of user-provided pages into kernel scatterlists for transmission. The vulnerability arises in the code path that processes MSG_SPLICE_PAGES flags during TLS sendmsg operations. When a user attempts to splice more pages into the message than the maximum allowed scatterlist fragments (MAX_MSG_FRAGS), the code incorrectly aborts the scatterlist setup without properly marking the message as a 'full record'. This leads to a logic flaw where the sendmsg code attempts to continue sending data into an already full scatterlist, triggering warnings and potentially causing unexpected behavior. The root cause is that the MORE flag, which hints the kernel to delay sending until more data is available, is not overridden when the scatterlist is full, resulting in a fallthrough to a continuation path that mishandles the message state. The fix involves ensuring that if the scatterlist is full (full_record not set), the message is sent immediately regardless of the MORE flag, preventing the erroneous continuation and associated warnings. This vulnerability is a logic error in kernel TLS message handling that could cause instability or denial of service conditions due to improper message state management during high-volume or crafted TLS splicing operations. No known exploits are reported in the wild as of the publication date, and the vulnerability affects specific Linux kernel versions identified by commit hashes. The issue is technical and relates to internal kernel memory and message buffer management during TLS sendmsg operations, which are critical for secure network communication in Linux environments.
Potential Impact
For European organizations, the impact of CVE-2024-35841 primarily concerns systems running affected Linux kernel versions with TLS offloading enabled in the networking stack. Since Linux is widely deployed across servers, cloud infrastructure, and embedded devices in Europe, this vulnerability could lead to service disruptions or denial of service (DoS) conditions if exploited by sending specially crafted TLS splice messages that trigger the faulty logic. Although no direct remote code execution or privilege escalation is indicated, the instability caused by the kernel warnings and aborted message processing could degrade the availability of critical network services, including web servers, VPN gateways, and other TLS-dependent applications. Organizations relying on Linux-based infrastructure for secure communications may face increased risk of network outages or degraded performance, impacting business continuity and service reliability. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to cause resource exhaustion or kernel panics, especially in high-throughput environments. Given the importance of Linux in European data centers, telecommunications, and government systems, timely patching is essential to maintain operational stability and security compliance.
Mitigation Recommendations
To mitigate CVE-2024-35841, European organizations should: 1) Identify and inventory Linux systems running affected kernel versions, particularly those using TLS offloading or advanced networking features involving MSG_SPLICE_PAGES. 2) Apply the official Linux kernel patches or updates that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 3) In environments where immediate patching is not feasible, consider disabling TLS offloading or the use of MSG_SPLICE_PAGES in the kernel networking stack as a temporary workaround to prevent triggering the vulnerable code path. 4) Monitor kernel logs and system alerts for warnings related to __sk_msg_free or TLS sendmsg operations that may indicate attempts to exploit this issue. 5) Conduct network traffic analysis to detect abnormal TLS splicing patterns that could signal exploitation attempts. 6) Maintain strict access controls and network segmentation to limit exposure of vulnerable systems to untrusted networks or users. 7) Engage with Linux distribution security advisories and maintain an up-to-date patch management process to quickly respond to emerging threats related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35841: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: tls, fix WARNIING in __sk_msg_free A splice with MSG_SPLICE_PAGES will cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user provided pages from the msg into the msg_pl. This will loop over the msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer. If the user adds more pages to the msg than can fit in the msg_pl scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways. What actually happens though is we abort the msg to msg_pl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msg_data_left(msg) has more bytes to send and then attempts to fit them in the already full msg_pl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report. To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag.
AI-Powered Analysis
Technical Analysis
CVE-2024-35841 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the TLS (Transport Layer Security) sendmsg implementation that handles splicing of user-provided pages into kernel scatterlists for transmission. The vulnerability arises in the code path that processes MSG_SPLICE_PAGES flags during TLS sendmsg operations. When a user attempts to splice more pages into the message than the maximum allowed scatterlist fragments (MAX_MSG_FRAGS), the code incorrectly aborts the scatterlist setup without properly marking the message as a 'full record'. This leads to a logic flaw where the sendmsg code attempts to continue sending data into an already full scatterlist, triggering warnings and potentially causing unexpected behavior. The root cause is that the MORE flag, which hints the kernel to delay sending until more data is available, is not overridden when the scatterlist is full, resulting in a fallthrough to a continuation path that mishandles the message state. The fix involves ensuring that if the scatterlist is full (full_record not set), the message is sent immediately regardless of the MORE flag, preventing the erroneous continuation and associated warnings. This vulnerability is a logic error in kernel TLS message handling that could cause instability or denial of service conditions due to improper message state management during high-volume or crafted TLS splicing operations. No known exploits are reported in the wild as of the publication date, and the vulnerability affects specific Linux kernel versions identified by commit hashes. The issue is technical and relates to internal kernel memory and message buffer management during TLS sendmsg operations, which are critical for secure network communication in Linux environments.
Potential Impact
For European organizations, the impact of CVE-2024-35841 primarily concerns systems running affected Linux kernel versions with TLS offloading enabled in the networking stack. Since Linux is widely deployed across servers, cloud infrastructure, and embedded devices in Europe, this vulnerability could lead to service disruptions or denial of service (DoS) conditions if exploited by sending specially crafted TLS splice messages that trigger the faulty logic. Although no direct remote code execution or privilege escalation is indicated, the instability caused by the kernel warnings and aborted message processing could degrade the availability of critical network services, including web servers, VPN gateways, and other TLS-dependent applications. Organizations relying on Linux-based infrastructure for secure communications may face increased risk of network outages or degraded performance, impacting business continuity and service reliability. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to cause resource exhaustion or kernel panics, especially in high-throughput environments. Given the importance of Linux in European data centers, telecommunications, and government systems, timely patching is essential to maintain operational stability and security compliance.
Mitigation Recommendations
To mitigate CVE-2024-35841, European organizations should: 1) Identify and inventory Linux systems running affected kernel versions, particularly those using TLS offloading or advanced networking features involving MSG_SPLICE_PAGES. 2) Apply the official Linux kernel patches or updates that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 3) In environments where immediate patching is not feasible, consider disabling TLS offloading or the use of MSG_SPLICE_PAGES in the kernel networking stack as a temporary workaround to prevent triggering the vulnerable code path. 4) Monitor kernel logs and system alerts for warnings related to __sk_msg_free or TLS sendmsg operations that may indicate attempts to exploit this issue. 5) Conduct network traffic analysis to detect abnormal TLS splicing patterns that could signal exploitation attempts. 6) Maintain strict access controls and network segmentation to limit exposure of vulnerable systems to untrusted networks or users. 7) Engage with Linux distribution security advisories and maintain an up-to-date patch management process to quickly respond to emerging threats related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.104Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe360a
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:27:21 PM
Last updated: 7/29/2025, 7:51:21 PM
Views: 14
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.