CVE-2024-35944: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 Some code commentry, based on my understanding: 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) /// This is 24 + payload_size memcpy(&dg_info->msg, dg, dg_size); Destination = dg_info->msg ---> this is a 24 byte structure(struct vmci_datagram) Source = dg --> this is a 24 byte structure (struct vmci_datagram) Size = dg_size = 24 + payload_size {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. 35 struct delayed_datagram_info { 36 struct datagram_entry *entry; 37 struct work_struct work; 38 bool in_dg_host_queue; 39 /* msg and msg_payload must be together. */ 40 struct vmci_datagram msg; 41 u8 msg_payload[]; 42 }; So those extra bytes of payload are copied into msg_payload[], a run time warning is seen while fuzzing with Syzkaller. One possible way to fix the warning is to split the memcpy() into two parts -- one -- direct assignment of msg and second taking care of payload. Gustavo quoted: "Under FORTIFY_SOURCE we should not copy data across multiple members in a structure."
AI Analysis
Technical Summary
CVE-2024-35944 is a vulnerability identified in the Linux kernel's VMCI (Virtual Machine Communication Interface) subsystem, specifically within the function dg_dispatch_as_host located in the vmci_datagram.c driver code. The issue arises from an unsafe use of memcpy() where a field-spanning write occurs. The memcpy operation copies data from a source datagram structure to a destination structure that includes a fixed-size message field and a flexible array member for the payload. The vulnerability is triggered when the payload_size is manipulated (e.g., by fuzzing with Syzkaller) to a value larger than expected, causing memcpy to write beyond the bounds of the fixed-size msg field and into adjacent memory areas. This behavior results in a runtime warning under FORTIFY_SOURCE protections and indicates a potential buffer overflow condition. The root cause is that memcpy is copying the entire datagram size (header plus payload) into a structure where the msg field is only 24 bytes, but the payload can be larger, leading to an overlap and memory corruption. The suggested fix involves splitting the memcpy into two operations: one copying the fixed-size msg structure and another copying the variable-length payload separately, thus preventing the field-spanning write and ensuring memory safety. Although no known exploits are currently reported in the wild, this vulnerability could be leveraged to cause memory corruption, potentially leading to denial of service or privilege escalation in environments using VMCI, such as virtualized Linux hosts running VMware products. The vulnerability affects multiple versions of the Linux kernel identified by specific commit hashes, indicating it is present in recent kernel builds prior to the fix.
Potential Impact
For European organizations, the impact of CVE-2024-35944 depends largely on their use of Linux systems with VMCI enabled, which is common in virtualized environments, especially those leveraging VMware virtualization technology on Linux hosts. Successful exploitation could allow attackers to corrupt kernel memory, potentially leading to system crashes (denial of service) or privilege escalation, compromising the confidentiality, integrity, and availability of critical systems. This is particularly concerning for sectors with high reliance on virtualized infrastructure such as finance, telecommunications, government, and cloud service providers across Europe. The vulnerability could disrupt business operations, lead to data breaches, or enable lateral movement within networks. Given the kernel-level nature of the flaw, the impact could be severe if exploited, affecting the stability and security of virtualized workloads. However, the lack of known exploits and the requirement for local code execution or privileged access to trigger the vulnerability somewhat limits the immediate risk. Nonetheless, the widespread use of Linux in European data centers and enterprises means that unpatched systems remain vulnerable to potential future exploit development.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability by correcting the memcpy usage in the VMCI datagram handling code. Specifically, kernel maintainers have recommended splitting the memcpy operation into two distinct copies to avoid field-spanning writes. Organizations running VMware virtualization on Linux hosts should ensure their kernel versions are updated to include this fix. Additionally, system administrators should audit their environments to identify Linux hosts with VMCI enabled and restrict access to these systems to trusted users only, minimizing the risk of local exploitation. Employing kernel hardening techniques such as enabling FORTIFY_SOURCE, stack canaries, and kernel address space layout randomization (KASLR) can provide additional layers of defense. Monitoring system logs for unusual kernel warnings or crashes related to vmci_datagram.c may help detect attempted exploitation. Finally, organizations should maintain robust vulnerability management processes to track Linux kernel updates and apply security patches promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35944: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 Some code commentry, based on my understanding: 544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) /// This is 24 + payload_size memcpy(&dg_info->msg, dg, dg_size); Destination = dg_info->msg ---> this is a 24 byte structure(struct vmci_datagram) Source = dg --> this is a 24 byte structure (struct vmci_datagram) Size = dg_size = 24 + payload_size {payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. 35 struct delayed_datagram_info { 36 struct datagram_entry *entry; 37 struct work_struct work; 38 bool in_dg_host_queue; 39 /* msg and msg_payload must be together. */ 40 struct vmci_datagram msg; 41 u8 msg_payload[]; 42 }; So those extra bytes of payload are copied into msg_payload[], a run time warning is seen while fuzzing with Syzkaller. One possible way to fix the warning is to split the memcpy() into two parts -- one -- direct assignment of msg and second taking care of payload. Gustavo quoted: "Under FORTIFY_SOURCE we should not copy data across multiple members in a structure."
AI-Powered Analysis
Technical Analysis
CVE-2024-35944 is a vulnerability identified in the Linux kernel's VMCI (Virtual Machine Communication Interface) subsystem, specifically within the function dg_dispatch_as_host located in the vmci_datagram.c driver code. The issue arises from an unsafe use of memcpy() where a field-spanning write occurs. The memcpy operation copies data from a source datagram structure to a destination structure that includes a fixed-size message field and a flexible array member for the payload. The vulnerability is triggered when the payload_size is manipulated (e.g., by fuzzing with Syzkaller) to a value larger than expected, causing memcpy to write beyond the bounds of the fixed-size msg field and into adjacent memory areas. This behavior results in a runtime warning under FORTIFY_SOURCE protections and indicates a potential buffer overflow condition. The root cause is that memcpy is copying the entire datagram size (header plus payload) into a structure where the msg field is only 24 bytes, but the payload can be larger, leading to an overlap and memory corruption. The suggested fix involves splitting the memcpy into two operations: one copying the fixed-size msg structure and another copying the variable-length payload separately, thus preventing the field-spanning write and ensuring memory safety. Although no known exploits are currently reported in the wild, this vulnerability could be leveraged to cause memory corruption, potentially leading to denial of service or privilege escalation in environments using VMCI, such as virtualized Linux hosts running VMware products. The vulnerability affects multiple versions of the Linux kernel identified by specific commit hashes, indicating it is present in recent kernel builds prior to the fix.
Potential Impact
For European organizations, the impact of CVE-2024-35944 depends largely on their use of Linux systems with VMCI enabled, which is common in virtualized environments, especially those leveraging VMware virtualization technology on Linux hosts. Successful exploitation could allow attackers to corrupt kernel memory, potentially leading to system crashes (denial of service) or privilege escalation, compromising the confidentiality, integrity, and availability of critical systems. This is particularly concerning for sectors with high reliance on virtualized infrastructure such as finance, telecommunications, government, and cloud service providers across Europe. The vulnerability could disrupt business operations, lead to data breaches, or enable lateral movement within networks. Given the kernel-level nature of the flaw, the impact could be severe if exploited, affecting the stability and security of virtualized workloads. However, the lack of known exploits and the requirement for local code execution or privileged access to trigger the vulnerability somewhat limits the immediate risk. Nonetheless, the widespread use of Linux in European data centers and enterprises means that unpatched systems remain vulnerable to potential future exploit development.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability by correcting the memcpy usage in the VMCI datagram handling code. Specifically, kernel maintainers have recommended splitting the memcpy operation into two distinct copies to avoid field-spanning writes. Organizations running VMware virtualization on Linux hosts should ensure their kernel versions are updated to include this fix. Additionally, system administrators should audit their environments to identify Linux hosts with VMCI enabled and restrict access to these systems to trusted users only, minimizing the risk of local exploitation. Employing kernel hardening techniques such as enabling FORTIFY_SOURCE, stack canaries, and kernel address space layout randomization (KASLR) can provide additional layers of defense. Monitoring system logs for unusual kernel warnings or crashes related to vmci_datagram.c may help detect attempted exploitation. Finally, organizations should maintain robust vulnerability management processes to track Linux kernel updates and apply security patches promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.133Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2230
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 8:26:01 AM
Last updated: 8/18/2025, 11:33:01 PM
Views: 13
Related Threats
CVE-2025-41452: CWE-15: External Control of System or Configuration Setting in Danfoss AK-SM8xxA Series
MediumCVE-2025-41451: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Danfoss AK-SM8xxA Series
HighCVE-2025-43752: CWE-770 Allocation of Resources Without Limits or Throttling in Liferay Portal
MediumCVE-2025-43753: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
LowCVE-2025-51606: n/a
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.