CVE-2024-35884: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: udp: do not accept non-tunnel GSO skbs landing in a tunnel When rx-udp-gro-forwarding is enabled UDP packets might be GROed when being forwarded. If such packets might land in a tunnel this can cause various issues and udp_gro_receive makes sure this isn't the case by looking for a matching socket. This is performed in udp4/6_gro_lookup_skb but only in the current netns. This is an issue with tunneled packets when the endpoint is in another netns. In such cases the packets will be GROed at the UDP level, which leads to various issues later on. The same thing can happen with rx-gro-list. We saw this with geneve packets being GROed at the UDP level. In such case gso_size is set; later the packet goes through the geneve rx path, the geneve header is pulled, the offset are adjusted and frag_list skbs are not adjusted with regard to geneve. When those skbs hit skb_fragment, it will misbehave. Different outcomes are possible depending on what the GROed skbs look like; from corrupted packets to kernel crashes. One example is a BUG_ON[1] triggered in skb_segment while processing the frag_list. Because gso_size is wrong (geneve header was pulled) skb_segment thinks there is "geneve header size" of data in frag_list, although it's in fact the next packet. The BUG_ON itself has nothing to do with the issue. This is only one of the potential issues. Looking up for a matching socket in udp_gro_receive is fragile: the lookup could be extended to all netns (not speaking about performances) but nothing prevents those packets from being modified in between and we could still not find a matching socket. It's OK to keep the current logic there as it should cover most cases but we also need to make sure we handle tunnel packets being GROed too early. This is done by extending the checks in udp_unexpected_gso: GSO packets lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must be segmented. [1] kernel BUG at net/core/skbuff.c:4408! RIP: 0010:skb_segment+0xd2a/0xf70 __udp_gso_segment+0xaa/0x560
AI Analysis
Technical Summary
CVE-2024-35884 is a high-severity vulnerability in the Linux kernel related to the handling of UDP Generic Segmentation Offload (GSO) packets when rx-udp-gro-forwarding is enabled. The vulnerability arises because UDP packets may be GROed (Generic Receive Offload) during forwarding, and if these packets land in a tunnel interface, improper handling occurs. Specifically, the kernel function udp_gro_receive attempts to verify that GROed packets correspond to a matching socket within the current network namespace (netns). However, this check is limited to the current netns and does not account for tunneled packets whose endpoints reside in different netns. As a result, such packets can be GROed prematurely at the UDP level, leading to inconsistencies and errors downstream in the packet processing pipeline. The issue was observed with Geneve tunnel packets, where the GSO size is set incorrectly after the Geneve header is pulled. The frag_list skbs (socket buffers) are not properly adjusted for the Geneve header removal, causing skb_segment to misinterpret packet boundaries. This can trigger kernel BUGs, such as the BUG_ON in skb_segment, which arises because the function expects a certain header size that no longer matches the actual packet data. The vulnerability can manifest in various ways, including packet corruption, kernel crashes, or denial of service due to kernel panics. The root cause is the fragile socket lookup in udp_gro_receive, which only checks the current netns and cannot reliably find matching sockets for tunneled packets crossing netns boundaries. The fix involves extending the checks in udp_unexpected_gso to ensure that GSO packets lacking the SKB_GSO_UDP_TUNNEL or SKB_GSO_UDP_CSUM bits and landing in a tunnel are segmented properly before further processing. This prevents premature GROing of tunneled packets and avoids the subsequent packet processing errors. This vulnerability affects Linux kernel versions containing the specified commit hashes and is particularly relevant for systems using UDP GRO forwarding and tunneling protocols such as Geneve. The CVSS 3.1 score is 8.8 (high), reflecting the network attack vector, low attack complexity, required privileges, and the potential for high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based infrastructure with advanced networking features such as UDP GRO forwarding and tunneling protocols (e.g., Geneve, VXLAN). Data centers, cloud providers, telecom operators, and enterprises using Linux servers for network virtualization or container orchestration could experience kernel crashes or packet corruption, leading to service disruptions or denial of service. The vulnerability could be exploited by an attacker with local privileges to cause kernel panics, potentially escalating to broader system compromise or impacting availability of critical network services. Given the widespread use of Linux in European IT environments, the impact could affect a broad range of sectors including finance, healthcare, government, and telecommunications. Additionally, the instability caused by this vulnerability could undermine trust in network virtualization technologies and complicate incident response and forensic analysis.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available. Beyond applying patches, administrators should audit their network configurations to identify if UDP GRO forwarding and tunneling protocols like Geneve are enabled and assess whether these features are necessary. If feasible, temporarily disabling rx-udp-gro-forwarding or tunneling features until patches are applied can reduce exposure. Network namespaces and tunneling configurations should be reviewed to minimize cross-netns packet forwarding that triggers this vulnerability. Monitoring kernel logs for BUG_ON or skb_segment errors can help detect exploitation attempts or crashes. For environments using container orchestration or virtualized networks, ensuring that host kernels are updated and that container runtimes do not expose unnecessary privileges is critical. Finally, implementing strict access controls to limit local user privileges can reduce the risk of exploitation since the vulnerability requires at least local privileges.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35884: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: udp: do not accept non-tunnel GSO skbs landing in a tunnel When rx-udp-gro-forwarding is enabled UDP packets might be GROed when being forwarded. If such packets might land in a tunnel this can cause various issues and udp_gro_receive makes sure this isn't the case by looking for a matching socket. This is performed in udp4/6_gro_lookup_skb but only in the current netns. This is an issue with tunneled packets when the endpoint is in another netns. In such cases the packets will be GROed at the UDP level, which leads to various issues later on. The same thing can happen with rx-gro-list. We saw this with geneve packets being GROed at the UDP level. In such case gso_size is set; later the packet goes through the geneve rx path, the geneve header is pulled, the offset are adjusted and frag_list skbs are not adjusted with regard to geneve. When those skbs hit skb_fragment, it will misbehave. Different outcomes are possible depending on what the GROed skbs look like; from corrupted packets to kernel crashes. One example is a BUG_ON[1] triggered in skb_segment while processing the frag_list. Because gso_size is wrong (geneve header was pulled) skb_segment thinks there is "geneve header size" of data in frag_list, although it's in fact the next packet. The BUG_ON itself has nothing to do with the issue. This is only one of the potential issues. Looking up for a matching socket in udp_gro_receive is fragile: the lookup could be extended to all netns (not speaking about performances) but nothing prevents those packets from being modified in between and we could still not find a matching socket. It's OK to keep the current logic there as it should cover most cases but we also need to make sure we handle tunnel packets being GROed too early. This is done by extending the checks in udp_unexpected_gso: GSO packets lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must be segmented. [1] kernel BUG at net/core/skbuff.c:4408! RIP: 0010:skb_segment+0xd2a/0xf70 __udp_gso_segment+0xaa/0x560
AI-Powered Analysis
Technical Analysis
CVE-2024-35884 is a high-severity vulnerability in the Linux kernel related to the handling of UDP Generic Segmentation Offload (GSO) packets when rx-udp-gro-forwarding is enabled. The vulnerability arises because UDP packets may be GROed (Generic Receive Offload) during forwarding, and if these packets land in a tunnel interface, improper handling occurs. Specifically, the kernel function udp_gro_receive attempts to verify that GROed packets correspond to a matching socket within the current network namespace (netns). However, this check is limited to the current netns and does not account for tunneled packets whose endpoints reside in different netns. As a result, such packets can be GROed prematurely at the UDP level, leading to inconsistencies and errors downstream in the packet processing pipeline. The issue was observed with Geneve tunnel packets, where the GSO size is set incorrectly after the Geneve header is pulled. The frag_list skbs (socket buffers) are not properly adjusted for the Geneve header removal, causing skb_segment to misinterpret packet boundaries. This can trigger kernel BUGs, such as the BUG_ON in skb_segment, which arises because the function expects a certain header size that no longer matches the actual packet data. The vulnerability can manifest in various ways, including packet corruption, kernel crashes, or denial of service due to kernel panics. The root cause is the fragile socket lookup in udp_gro_receive, which only checks the current netns and cannot reliably find matching sockets for tunneled packets crossing netns boundaries. The fix involves extending the checks in udp_unexpected_gso to ensure that GSO packets lacking the SKB_GSO_UDP_TUNNEL or SKB_GSO_UDP_CSUM bits and landing in a tunnel are segmented properly before further processing. This prevents premature GROing of tunneled packets and avoids the subsequent packet processing errors. This vulnerability affects Linux kernel versions containing the specified commit hashes and is particularly relevant for systems using UDP GRO forwarding and tunneling protocols such as Geneve. The CVSS 3.1 score is 8.8 (high), reflecting the network attack vector, low attack complexity, required privileges, and the potential for high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based infrastructure with advanced networking features such as UDP GRO forwarding and tunneling protocols (e.g., Geneve, VXLAN). Data centers, cloud providers, telecom operators, and enterprises using Linux servers for network virtualization or container orchestration could experience kernel crashes or packet corruption, leading to service disruptions or denial of service. The vulnerability could be exploited by an attacker with local privileges to cause kernel panics, potentially escalating to broader system compromise or impacting availability of critical network services. Given the widespread use of Linux in European IT environments, the impact could affect a broad range of sectors including finance, healthcare, government, and telecommunications. Additionally, the instability caused by this vulnerability could undermine trust in network virtualization technologies and complicate incident response and forensic analysis.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available. Beyond applying patches, administrators should audit their network configurations to identify if UDP GRO forwarding and tunneling protocols like Geneve are enabled and assess whether these features are necessary. If feasible, temporarily disabling rx-udp-gro-forwarding or tunneling features until patches are applied can reduce exposure. Network namespaces and tunneling configurations should be reviewed to minimize cross-netns packet forwarding that triggers this vulnerability. Monitoring kernel logs for BUG_ON or skb_segment errors can help detect exploitation attempts or crashes. For environments using container orchestration or virtualized networks, ensuring that host kernels are updated and that container runtimes do not expose unnecessary privileges is critical. Finally, implementing strict access controls to limit local user privileges can reduce the risk of exploitation since the vulnerability requires at least local privileges.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.112Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe376d
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 7/3/2025, 1:40:06 AM
Last updated: 8/14/2025, 4:37:54 PM
Views: 17
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.