CVE-2024-35973: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
AI Analysis
Technical Summary
CVE-2024-35973 is a medium-severity vulnerability in the Linux kernel's geneve network tunneling module. The issue arises from improper header validation in the geneve_xmit_skb function, which handles packet transmission for the Generic Network Virtualization Encapsulation (GENEVE) protocol. The root cause is a discrepancy in how the kernel validates the protocol field in socket buffers (skb). While most IP tunnel helpers use skb_protocol(skb, true) to correctly interpret the protocol, the function pskb_inet_may_pull() only checks skb->protocol directly. This leads to a scenario where if the skb->protocol is neither ETH_P_IPV6 nor ETH_P_IP, pskb_inet_may_pull() does not perform any action, potentially causing the network header pointer to be incorrect and the skb linear part to be smaller than expected. This can result in uninitialized memory usage during packet transmission, as detected by the Kernel Memory Sanitizer (KMSAN) in the geneve_xmit() function. The vulnerability was identified through syzbot fuzz testing and involves complex interactions with VLAN tags and AF_PACKET sockets. The fix involves adding skb_vlan_inet_prepare() to perform comprehensive MAC validation and adjusting protocol handling to ensure correct skb header alignment. The vulnerability affects multiple Linux kernel versions, including recent mainline releases, and requires local privileges with low complexity for exploitation. No user interaction is needed, but privileges are required to send packets through the affected geneve interface. The impact is limited to availability, as the flaw can cause kernel crashes or denial of service due to uninitialized memory usage during packet transmission. Confidentiality and integrity are not directly impacted. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the impact of CVE-2024-35973 primarily concerns systems running Linux kernels with the geneve module enabled, especially in environments utilizing network virtualization, cloud infrastructure, or software-defined networking (SDN) solutions that leverage GENEVE tunnels. Disruption of network services due to kernel crashes or denial of service can affect critical infrastructure, cloud service providers, and enterprises relying on Linux-based virtualized network functions. The vulnerability requires local privileges, so attackers would need access to compromised hosts or insider capabilities to exploit it. However, given the widespread use of Linux in European data centers, telecom networks, and cloud platforms, the potential for service disruption exists, particularly in sectors with high reliance on virtualized networking such as finance, telecommunications, and government. The absence of confidentiality or integrity impact reduces the risk of data breaches, but availability impacts could lead to operational downtime and associated financial and reputational damage.
Mitigation Recommendations
To mitigate CVE-2024-35973, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or distributions. 2) Audit and monitor systems that utilize GENEVE tunnels, especially those handling VLAN-tagged traffic or AF_PACKET sockets, to detect unusual kernel behavior or crashes. 3) Restrict local user privileges to minimize the risk of exploitation by unprivileged users; ensure that only trusted users have access to systems with geneve interfaces. 4) Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) or Kernel Memory Sanitizer (KMSAN) in testing environments to detect similar issues proactively. 5) Consider disabling the geneve module or related network tunneling features if not required, reducing the attack surface. 6) Implement robust network segmentation and access controls to limit exposure of vulnerable hosts. 7) Maintain up-to-date intrusion detection and prevention systems capable of identifying anomalous packet transmission attempts that could trigger the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium, Italy, Spain
CVE-2024-35973: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
AI-Powered Analysis
Technical Analysis
CVE-2024-35973 is a medium-severity vulnerability in the Linux kernel's geneve network tunneling module. The issue arises from improper header validation in the geneve_xmit_skb function, which handles packet transmission for the Generic Network Virtualization Encapsulation (GENEVE) protocol. The root cause is a discrepancy in how the kernel validates the protocol field in socket buffers (skb). While most IP tunnel helpers use skb_protocol(skb, true) to correctly interpret the protocol, the function pskb_inet_may_pull() only checks skb->protocol directly. This leads to a scenario where if the skb->protocol is neither ETH_P_IPV6 nor ETH_P_IP, pskb_inet_may_pull() does not perform any action, potentially causing the network header pointer to be incorrect and the skb linear part to be smaller than expected. This can result in uninitialized memory usage during packet transmission, as detected by the Kernel Memory Sanitizer (KMSAN) in the geneve_xmit() function. The vulnerability was identified through syzbot fuzz testing and involves complex interactions with VLAN tags and AF_PACKET sockets. The fix involves adding skb_vlan_inet_prepare() to perform comprehensive MAC validation and adjusting protocol handling to ensure correct skb header alignment. The vulnerability affects multiple Linux kernel versions, including recent mainline releases, and requires local privileges with low complexity for exploitation. No user interaction is needed, but privileges are required to send packets through the affected geneve interface. The impact is limited to availability, as the flaw can cause kernel crashes or denial of service due to uninitialized memory usage during packet transmission. Confidentiality and integrity are not directly impacted. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the impact of CVE-2024-35973 primarily concerns systems running Linux kernels with the geneve module enabled, especially in environments utilizing network virtualization, cloud infrastructure, or software-defined networking (SDN) solutions that leverage GENEVE tunnels. Disruption of network services due to kernel crashes or denial of service can affect critical infrastructure, cloud service providers, and enterprises relying on Linux-based virtualized network functions. The vulnerability requires local privileges, so attackers would need access to compromised hosts or insider capabilities to exploit it. However, given the widespread use of Linux in European data centers, telecom networks, and cloud platforms, the potential for service disruption exists, particularly in sectors with high reliance on virtualized networking such as finance, telecommunications, and government. The absence of confidentiality or integrity impact reduces the risk of data breaches, but availability impacts could lead to operational downtime and associated financial and reputational damage.
Mitigation Recommendations
To mitigate CVE-2024-35973, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or distributions. 2) Audit and monitor systems that utilize GENEVE tunnels, especially those handling VLAN-tagged traffic or AF_PACKET sockets, to detect unusual kernel behavior or crashes. 3) Restrict local user privileges to minimize the risk of exploitation by unprivileged users; ensure that only trusted users have access to systems with geneve interfaces. 4) Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) or Kernel Memory Sanitizer (KMSAN) in testing environments to detect similar issues proactively. 5) Consider disabling the geneve module or related network tunneling features if not required, reducing the attack surface. 6) Implement robust network segmentation and access controls to limit exposure of vulnerable hosts. 7) Maintain up-to-date intrusion detection and prevention systems capable of identifying anomalous packet transmission attempts that could trigger the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.142Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddcd1
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 3:27:01 AM
Last updated: 8/15/2025, 4:22:54 AM
Views: 14
Related Threats
CVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-1929: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı
HighCVE-2025-54475: CWE-89: Improper Neutralization of Special Elements used in an SQL Command in joomsky.com JS Jobs component for Joomla
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.