CVE-2024-40923: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vmxnet3: disable rx data ring on dma allocation failure When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base, the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset rq->data_ring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception. To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell the hypervisor to disable this feature. [ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? __die_body.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? do_trap+0xca/0x110 [ 95.463973] ? do_error_trap+0x6a/0x90 [ 95.464966] ? skb_panic+0x4d/0x4f [ 95.465901] ? exc_invalid_op+0x50/0x70 [ 95.466849] ? skb_panic+0x4d/0x4f [ 95.467718] ? asm_exc_invalid_op+0x1a/0x20 [ 95.468758] ? skb_panic+0x4d/0x4f [ 95.469655] skb_put.cold+0x10/0x10 [ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3] [ 95.473185] __napi_poll+0x2b/0x160 [ 95.474145] net_rx_action+0x2c6/0x3b0 [ 95.475115] handle_softirqs+0xe7/0x2a0 [ 95.476122] __irq_exit_rcu+0x97/0xb0 [ 95.477109] common_interrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asm_common_interrupt+0x26/0x40 [ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpi_safe_halt+0x14/0x20 [ 95.496127] acpi_idle_do_entry+0x2f/0x50 [ 95.497221] acpi_idle_enter+0x7f/0xd0 [ 95.498272] cpuidle_enter_state+0x81/0x420 [ 95.499375] cpuidle_enter+0x2d/0x40 [ 95.500400] do_idle+0x1e5/0x240 [ 95.501385] cpu_startup_entry+0x29/0x30 [ 95.502422] start_secondary+0x11c/0x140 [ 95.503454] common_startup_64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip ---truncated---
AI Analysis
Technical Summary
CVE-2024-40923 is a vulnerability in the Linux kernel's vmxnet3 network driver, which is commonly used in virtualized environments, particularly with VMware hypervisors. The issue arises when the function vmxnet3_rq_create() fails to allocate memory for the receive queue's data ring buffer (rq->data_ring.base). In this failure scenario, the subsequent cleanup function vmxnet3_rq_destroy_all_rxdataring() does not reset the descriptor size (rq->data_ring.desc_size) for the failed data ring. This omission causes the hypervisor to continue referencing an invalid or uninitialized data ring during packet reception. The result is a kernel BUG triggered in the network stack (net/core/skbuff.c), leading to an invalid opcode exception and a kernel panic. This effectively causes a denial of service (DoS) by crashing the affected virtual machine or host kernel. The vulnerability is rooted in improper error handling and resource cleanup in the vmxnet3 driver, which is critical for network packet processing in VMware virtual machines. The fix involves explicitly setting rq->data_ring.desc_size to zero upon allocation failure to inform the hypervisor to disable the data ring feature, preventing invalid memory references. The vulnerability affects Linux kernel version 6.9.3 and potentially other versions using the vmxnet3 driver. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is significant in virtualized environments where vmxnet3 is deployed, as it can cause unexpected kernel crashes and service interruptions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to those operating Linux virtual machines on VMware infrastructure using the vmxnet3 network driver. The impact includes potential denial of service conditions caused by kernel panics, which can disrupt critical services, cloud workloads, and virtualized network functions. Organizations relying on VMware-based virtualization for cloud services, data centers, or private clouds may experience instability or outages if this vulnerability is triggered. This could affect sectors such as finance, healthcare, telecommunications, and government services where uptime and data integrity are paramount. Additionally, the vulnerability could be exploited by attackers with the ability to induce memory allocation failures or crafted network traffic, potentially leading to targeted disruption. Although no exploits are currently known, the vulnerability's nature suggests that attackers with local or guest VM access could cause crashes, impacting availability and operational continuity. The integrity and confidentiality of data are less directly impacted, but service availability degradation can have cascading effects on business operations and compliance with European regulations such as GDPR that mandate service reliability and data protection.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring vmxnet3 driver fixes are included. Specifically, kernel versions post-6.9.3 that incorporate the fix to reset rq->data_ring.desc_size on allocation failure should be deployed. For environments where immediate patching is not feasible, organizations should consider the following mitigations: 1) Monitor vmxnet3 driver logs and kernel messages for signs of memory allocation failures or kernel panics related to network packet processing. 2) Implement strict resource allocation and monitoring policies to reduce the likelihood of memory allocation failures in virtual machines. 3) Restrict and monitor guest VM network traffic to prevent malformed or excessive packets that could trigger the vulnerability. 4) Employ hypervisor-level controls to isolate and limit the impact of a compromised or unstable VM. 5) Engage with VMware and Linux vendor support channels for guidance on backporting patches or applying vendor-specific mitigations. 6) Conduct thorough testing of kernel updates in staging environments before production deployment to avoid service disruptions. These steps go beyond generic advice by focusing on the specific driver and virtualization context of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain, Poland
CVE-2024-40923: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vmxnet3: disable rx data ring on dma allocation failure When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base, the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset rq->data_ring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception. To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell the hypervisor to disable this feature. [ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? __die_body.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? do_trap+0xca/0x110 [ 95.463973] ? do_error_trap+0x6a/0x90 [ 95.464966] ? skb_panic+0x4d/0x4f [ 95.465901] ? exc_invalid_op+0x50/0x70 [ 95.466849] ? skb_panic+0x4d/0x4f [ 95.467718] ? asm_exc_invalid_op+0x1a/0x20 [ 95.468758] ? skb_panic+0x4d/0x4f [ 95.469655] skb_put.cold+0x10/0x10 [ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3] [ 95.473185] __napi_poll+0x2b/0x160 [ 95.474145] net_rx_action+0x2c6/0x3b0 [ 95.475115] handle_softirqs+0xe7/0x2a0 [ 95.476122] __irq_exit_rcu+0x97/0xb0 [ 95.477109] common_interrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asm_common_interrupt+0x26/0x40 [ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpi_safe_halt+0x14/0x20 [ 95.496127] acpi_idle_do_entry+0x2f/0x50 [ 95.497221] acpi_idle_enter+0x7f/0xd0 [ 95.498272] cpuidle_enter_state+0x81/0x420 [ 95.499375] cpuidle_enter+0x2d/0x40 [ 95.500400] do_idle+0x1e5/0x240 [ 95.501385] cpu_startup_entry+0x29/0x30 [ 95.502422] start_secondary+0x11c/0x140 [ 95.503454] common_startup_64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-40923 is a vulnerability in the Linux kernel's vmxnet3 network driver, which is commonly used in virtualized environments, particularly with VMware hypervisors. The issue arises when the function vmxnet3_rq_create() fails to allocate memory for the receive queue's data ring buffer (rq->data_ring.base). In this failure scenario, the subsequent cleanup function vmxnet3_rq_destroy_all_rxdataring() does not reset the descriptor size (rq->data_ring.desc_size) for the failed data ring. This omission causes the hypervisor to continue referencing an invalid or uninitialized data ring during packet reception. The result is a kernel BUG triggered in the network stack (net/core/skbuff.c), leading to an invalid opcode exception and a kernel panic. This effectively causes a denial of service (DoS) by crashing the affected virtual machine or host kernel. The vulnerability is rooted in improper error handling and resource cleanup in the vmxnet3 driver, which is critical for network packet processing in VMware virtual machines. The fix involves explicitly setting rq->data_ring.desc_size to zero upon allocation failure to inform the hypervisor to disable the data ring feature, preventing invalid memory references. The vulnerability affects Linux kernel version 6.9.3 and potentially other versions using the vmxnet3 driver. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is significant in virtualized environments where vmxnet3 is deployed, as it can cause unexpected kernel crashes and service interruptions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to those operating Linux virtual machines on VMware infrastructure using the vmxnet3 network driver. The impact includes potential denial of service conditions caused by kernel panics, which can disrupt critical services, cloud workloads, and virtualized network functions. Organizations relying on VMware-based virtualization for cloud services, data centers, or private clouds may experience instability or outages if this vulnerability is triggered. This could affect sectors such as finance, healthcare, telecommunications, and government services where uptime and data integrity are paramount. Additionally, the vulnerability could be exploited by attackers with the ability to induce memory allocation failures or crafted network traffic, potentially leading to targeted disruption. Although no exploits are currently known, the vulnerability's nature suggests that attackers with local or guest VM access could cause crashes, impacting availability and operational continuity. The integrity and confidentiality of data are less directly impacted, but service availability degradation can have cascading effects on business operations and compliance with European regulations such as GDPR that mandate service reliability and data protection.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring vmxnet3 driver fixes are included. Specifically, kernel versions post-6.9.3 that incorporate the fix to reset rq->data_ring.desc_size on allocation failure should be deployed. For environments where immediate patching is not feasible, organizations should consider the following mitigations: 1) Monitor vmxnet3 driver logs and kernel messages for signs of memory allocation failures or kernel panics related to network packet processing. 2) Implement strict resource allocation and monitoring policies to reduce the likelihood of memory allocation failures in virtual machines. 3) Restrict and monitor guest VM network traffic to prevent malformed or excessive packets that could trigger the vulnerability. 4) Employ hypervisor-level controls to isolate and limit the impact of a compromised or unstable VM. 5) Engage with VMware and Linux vendor support channels for guidance on backporting patches or applying vendor-specific mitigations. 6) Conduct thorough testing of kernel updates in staging environments before production deployment to avoid service disruptions. These steps go beyond generic advice by focusing on the specific driver and virtualization context of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.582Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe13cb
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:11:29 AM
Last updated: 8/3/2025, 6:21:55 AM
Views: 19
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.