CVE-2024-35888: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: erspan: make sure erspan_base_hdr is present in skb->head syzbot reported a problem in ip6erspan_rcv() [1] Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make sure erspan_base_hdr is present in skb linear part (skb->head) before getting @ver field from it. Add the missing pskb_may_pull() calls. v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() because skb->head might have changed. [1] BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline] BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] pskb_may_pull include/linux/skbuff.h:2756 [inline] ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5538 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652 netif_receive_skb_internal net/core/dev.c:5738 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5798 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549 tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1525 [inline] tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
AI Analysis
Technical Summary
CVE-2024-35888 is a medium-severity vulnerability identified in the Linux kernel's handling of ERSPAN (Encapsulated Remote Switched Port Analyzer) packets, specifically within the ip6erspan_rcv() and erspan_rcv() functions. The issue arises because these functions fail to ensure that the erspan_base_hdr structure is fully present in the linear portion of the socket buffer (skb->head) before accessing the @ver field. This improper validation leads to the use of uninitialized memory, as detected by Kernel Memory Sanitizer (KMSAN) reports, which highlight uninitialized value reads in the pskb_may_pull() calls and subsequent packet processing routines. The root cause is the absence of necessary pskb_may_pull() calls that guarantee the skb linear area contains the required header data before dereferencing it. The patch involves adding these missing calls and reloading the IP header pointer after pskb_may_pull(), as skb->head may change during this operation. This vulnerability affects multiple Linux kernel versions, including recent development branches (e.g., 6.9.0-rc1), and is relevant to systems that process ERSPAN packets, which are used for network traffic mirroring and monitoring over GRE tunnels. The CVSS 3.1 base score is 5.5, reflecting a medium severity with local attack vector, low complexity, requiring privileges, no user interaction, and impacting availability but not confidentiality or integrity. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels that handle ERSPAN traffic, such as network monitoring appliances, routers, or servers configured for advanced network diagnostics. Exploitation could lead to denial of service (DoS) conditions by crashing the kernel or causing instability due to uninitialized memory access. While it does not directly compromise confidentiality or integrity, the availability impact could disrupt critical network monitoring and security operations, especially in sectors relying heavily on Linux-based infrastructure such as telecommunications, finance, and government agencies. Given the widespread use of Linux in European data centers and enterprise environments, unpatched systems could experience service interruptions or degraded network visibility, potentially delaying incident response and forensic analysis. However, the requirement for local privileges limits the attack surface to insiders or attackers who have already gained some level of access, reducing the likelihood of remote exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-35888. Specifically, kernel maintainers have added the necessary pskb_may_pull() calls to ensure safe access to ERSPAN headers. System administrators should: 1) Identify all Linux systems processing ERSPAN or GRE traffic, particularly those involved in network monitoring or traffic analysis. 2) Apply vendor-provided kernel updates or backported patches promptly. 3) If immediate patching is not feasible, consider disabling ERSPAN functionality or restricting ERSPAN traffic to trusted network segments to reduce exposure. 4) Implement strict access controls to limit local user privileges, minimizing the risk of exploitation by unprivileged users. 5) Monitor kernel logs and system behavior for signs of instability or crashes related to network packet processing. 6) Engage with Linux distribution security advisories for tailored guidance and backports relevant to their environment. These steps go beyond generic advice by focusing on the specific network feature (ERSPAN) and kernel subsystems involved.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-35888: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: erspan: make sure erspan_base_hdr is present in skb->head syzbot reported a problem in ip6erspan_rcv() [1] Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make sure erspan_base_hdr is present in skb linear part (skb->head) before getting @ver field from it. Add the missing pskb_may_pull() calls. v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() because skb->head might have changed. [1] BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline] BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] pskb_may_pull include/linux/skbuff.h:2756 [inline] ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5538 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652 netif_receive_skb_internal net/core/dev.c:5738 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5798 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549 tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1525 [inline] tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
AI-Powered Analysis
Technical Analysis
CVE-2024-35888 is a medium-severity vulnerability identified in the Linux kernel's handling of ERSPAN (Encapsulated Remote Switched Port Analyzer) packets, specifically within the ip6erspan_rcv() and erspan_rcv() functions. The issue arises because these functions fail to ensure that the erspan_base_hdr structure is fully present in the linear portion of the socket buffer (skb->head) before accessing the @ver field. This improper validation leads to the use of uninitialized memory, as detected by Kernel Memory Sanitizer (KMSAN) reports, which highlight uninitialized value reads in the pskb_may_pull() calls and subsequent packet processing routines. The root cause is the absence of necessary pskb_may_pull() calls that guarantee the skb linear area contains the required header data before dereferencing it. The patch involves adding these missing calls and reloading the IP header pointer after pskb_may_pull(), as skb->head may change during this operation. This vulnerability affects multiple Linux kernel versions, including recent development branches (e.g., 6.9.0-rc1), and is relevant to systems that process ERSPAN packets, which are used for network traffic mirroring and monitoring over GRE tunnels. The CVSS 3.1 base score is 5.5, reflecting a medium severity with local attack vector, low complexity, requiring privileges, no user interaction, and impacting availability but not confidentiality or integrity. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels that handle ERSPAN traffic, such as network monitoring appliances, routers, or servers configured for advanced network diagnostics. Exploitation could lead to denial of service (DoS) conditions by crashing the kernel or causing instability due to uninitialized memory access. While it does not directly compromise confidentiality or integrity, the availability impact could disrupt critical network monitoring and security operations, especially in sectors relying heavily on Linux-based infrastructure such as telecommunications, finance, and government agencies. Given the widespread use of Linux in European data centers and enterprise environments, unpatched systems could experience service interruptions or degraded network visibility, potentially delaying incident response and forensic analysis. However, the requirement for local privileges limits the attack surface to insiders or attackers who have already gained some level of access, reducing the likelihood of remote exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-35888. Specifically, kernel maintainers have added the necessary pskb_may_pull() calls to ensure safe access to ERSPAN headers. System administrators should: 1) Identify all Linux systems processing ERSPAN or GRE traffic, particularly those involved in network monitoring or traffic analysis. 2) Apply vendor-provided kernel updates or backported patches promptly. 3) If immediate patching is not feasible, consider disabling ERSPAN functionality or restricting ERSPAN traffic to trusted network segments to reduce exposure. 4) Implement strict access controls to limit local user privileges, minimizing the risk of exploitation by unprivileged users. 5) Monitor kernel logs and system behavior for signs of instability or crashes related to network packet processing. 6) Engage with Linux distribution security advisories for tailored guidance and backports relevant to their environment. These steps go beyond generic advice by focusing on the specific network feature (ERSPAN) and kernel subsystems involved.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.113Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd8de1
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/5/2025, 9:54:33 AM
Last updated: 7/31/2025, 2:33:56 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.