CVE-2024-36927: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL while __ip_make_skb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN. Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL on the socket. Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These are union in struct flowi4 and are implicitly initialized by flowi4_init_output(), but we should not rely on specific union layout. Initialize these explicitly in raw_sendmsg(). [1] BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 ip_finish_skb include/net/ip.h:243 [inline] ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
AI Analysis
Technical Summary
CVE-2024-36927 is a vulnerability identified in the Linux kernel's IPv4 networking stack, specifically within the __ip_make_skb() function responsible for constructing socket buffers (skbs) for IP packets. The flaw arises due to an uninitialized value access caused by a race condition involving the IP_HDRINCL socket option. IP_HDRINCL allows user-space applications to provide their own IP headers for raw sockets. The vulnerability occurs because __ip_make_skb() checks the HDRINCL flag to determine if the skb contains an ICMP header (icmphdr). However, if setsockopt(2) is called concurrently to change the IP_HDRINCL option, a race condition can cause __ip_make_skb() to access the icmphdr field even when it is not present, leading to uninitialized memory access. Additionally, the fields fl4_icmp_type and fl4_icmp_code within the flowi4 union are not explicitly initialized, which can cause unpredictable behavior since their initialization relies on union layout assumptions. The Linux kernel developers addressed this by changing the check to use FLOWI_FLAG_KNOWN_NH on the flowi4_flags instead of the HDRINCL socket flag and explicitly initializing the icmp_type and icmp_code fields in raw_sendmsg(). This vulnerability was detected by Kernel Memory Sanitizer (KMSAN) and reported with detailed kernel stack traces. It affects multiple Linux kernel versions as indicated by the affected commit hashes. Although no known exploits are currently reported in the wild, the flaw could potentially be triggered by local or remote attackers capable of sending crafted raw IP packets or manipulating socket options concurrently. The vulnerability impacts the core networking code, which is critical for all Linux-based systems handling IPv4 traffic.
Potential Impact
For European organizations, the impact of CVE-2024-36927 could be significant, especially for those relying on Linux servers for network infrastructure, cloud services, or embedded systems. Exploitation could lead to kernel memory corruption, causing system instability, crashes (denial of service), or potentially enabling privilege escalation if combined with other vulnerabilities. This could disrupt critical services such as web hosting, VPN gateways, or network appliances. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, the vulnerability poses a risk to confidentiality, integrity, and availability of network communications. Attackers exploiting this flaw might gain unauthorized access or cause service outages, impacting business continuity and regulatory compliance (e.g., GDPR). The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel networking stack makes it a high-value target for attackers aiming to compromise Linux-based infrastructure.
Mitigation Recommendations
European organizations should prioritize patching Linux kernel versions affected by CVE-2024-36927 as soon as vendor updates become available. Until patches are deployed, organizations can mitigate risk by restricting the use of raw sockets and the IP_HDRINCL option to trusted users and processes only, minimizing the attack surface. Network segmentation and strict firewall rules should limit exposure of vulnerable systems to untrusted networks. Monitoring kernel logs for unusual raw socket activity or socket option changes can help detect exploitation attempts. Employing kernel memory sanitizers and runtime security tools may provide early detection of anomalous behavior. For embedded or specialized Linux systems where immediate patching is difficult, consider disabling unnecessary raw socket functionality or applying vendor-specific mitigations. Coordinating with Linux distribution maintainers and security teams to track patch releases and testing updates in staging environments before production deployment is essential for minimizing operational disruption.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-36927: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL while __ip_make_skb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN. Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL on the socket. Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These are union in struct flowi4 and are implicitly initialized by flowi4_init_output(), but we should not rely on specific union layout. Initialize these explicitly in raw_sendmsg(). [1] BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 ip_finish_skb include/net/ip.h:243 [inline] ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
AI-Powered Analysis
Technical Analysis
CVE-2024-36927 is a vulnerability identified in the Linux kernel's IPv4 networking stack, specifically within the __ip_make_skb() function responsible for constructing socket buffers (skbs) for IP packets. The flaw arises due to an uninitialized value access caused by a race condition involving the IP_HDRINCL socket option. IP_HDRINCL allows user-space applications to provide their own IP headers for raw sockets. The vulnerability occurs because __ip_make_skb() checks the HDRINCL flag to determine if the skb contains an ICMP header (icmphdr). However, if setsockopt(2) is called concurrently to change the IP_HDRINCL option, a race condition can cause __ip_make_skb() to access the icmphdr field even when it is not present, leading to uninitialized memory access. Additionally, the fields fl4_icmp_type and fl4_icmp_code within the flowi4 union are not explicitly initialized, which can cause unpredictable behavior since their initialization relies on union layout assumptions. The Linux kernel developers addressed this by changing the check to use FLOWI_FLAG_KNOWN_NH on the flowi4_flags instead of the HDRINCL socket flag and explicitly initializing the icmp_type and icmp_code fields in raw_sendmsg(). This vulnerability was detected by Kernel Memory Sanitizer (KMSAN) and reported with detailed kernel stack traces. It affects multiple Linux kernel versions as indicated by the affected commit hashes. Although no known exploits are currently reported in the wild, the flaw could potentially be triggered by local or remote attackers capable of sending crafted raw IP packets or manipulating socket options concurrently. The vulnerability impacts the core networking code, which is critical for all Linux-based systems handling IPv4 traffic.
Potential Impact
For European organizations, the impact of CVE-2024-36927 could be significant, especially for those relying on Linux servers for network infrastructure, cloud services, or embedded systems. Exploitation could lead to kernel memory corruption, causing system instability, crashes (denial of service), or potentially enabling privilege escalation if combined with other vulnerabilities. This could disrupt critical services such as web hosting, VPN gateways, or network appliances. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, the vulnerability poses a risk to confidentiality, integrity, and availability of network communications. Attackers exploiting this flaw might gain unauthorized access or cause service outages, impacting business continuity and regulatory compliance (e.g., GDPR). The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel networking stack makes it a high-value target for attackers aiming to compromise Linux-based infrastructure.
Mitigation Recommendations
European organizations should prioritize patching Linux kernel versions affected by CVE-2024-36927 as soon as vendor updates become available. Until patches are deployed, organizations can mitigate risk by restricting the use of raw sockets and the IP_HDRINCL option to trusted users and processes only, minimizing the attack surface. Network segmentation and strict firewall rules should limit exposure of vulnerable systems to untrusted networks. Monitoring kernel logs for unusual raw socket activity or socket option changes can help detect exploitation attempts. Employing kernel memory sanitizers and runtime security tools may provide early detection of anomalous behavior. For embedded or specialized Linux systems where immediate patching is difficult, consider disabling unnecessary raw socket functionality or applying vendor-specific mitigations. Coordinating with Linux distribution maintainers and security teams to track patch releases and testing updates in staging environments before production deployment is essential for minimizing operational disruption.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.069Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddd64
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 7/4/2025, 2:44:23 AM
Last updated: 8/5/2025, 12:36:19 PM
Views: 15
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.