CVE-2024-43897: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests.
AI Analysis
Technical Summary
CVE-2024-43897 is a vulnerability identified in the Linux kernel's network stack, specifically related to the handling of Generic Segmentation Offload (GSO) packets within the virtio_net_hdr structure. The vulnerability arises from insufficient validation of the checksum start (csum_start) and checksum offset (csum_offset) fields when processing GSO packets, particularly those using TCP Segmentation Offload (TSO). The Linux kernel function virtio_net_hdr_to_skb, responsible for converting virtio network headers to socket buffers (skb), previously checked that a checksum requested with the VIRTIO_NET_HDR_F_NEEDS_CSUM flag was within the linear portion of the skb. However, for GSO packets, this assumption does not hold for segments after segmentation, leading to potential out-of-bounds accesses or warnings triggered by skb_checksum_help. The issue was demonstrated by Syzkaller, a kernel fuzzer, which triggered warnings and kernel warnings (WARN_ON_ONCE) due to invalid checksum offsets exceeding skb_headlen. The vulnerability can be triggered by injecting malformed TSO packets with crafted checksum fields, causing the kernel to process invalid checksum offsets and potentially leading to kernel warnings or crashes. The fix involves tightening input validation by deducing the correct csum_offset from the gso_type for TSO packets, extending existing logic used for UDP Segmentation Offload (USO) packets. Additionally, the patch avoids adding new parsers by leveraging existing segmentation parsing and the SKB_GSO_DODGY flag to catch bad packets, including those with hardware offload. This approach prevents the acceptance of malformed packets that could cause instability or denial of service. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes and was publicly disclosed on August 26, 2024. No known exploits are reported in the wild at this time. The vulnerability is significant because it affects the core networking functionality of the Linux kernel, which is widely used in servers, cloud infrastructure, and embedded devices. Improper handling of network packets at this low level can lead to kernel crashes or denial of service, impacting system availability and reliability.
Potential Impact
For European organizations, the impact of CVE-2024-43897 can be substantial, especially for those relying heavily on Linux-based infrastructure for networking, cloud services, and virtualization. The vulnerability targets the virtio network driver, commonly used in virtualized environments such as KVM/QEMU, which are prevalent in data centers and cloud providers across Europe. Exploitation could lead to kernel panics or denial of service conditions, disrupting critical services and applications. This is particularly concerning for sectors like finance, telecommunications, government, and critical infrastructure, where high availability and network reliability are paramount. Additionally, organizations using Linux-based routers, firewalls, or network appliances could experience outages or degraded performance. While no known exploits exist currently, the ease of triggering the vulnerability via crafted network packets suggests that attackers with network access could potentially disrupt systems without requiring authentication. This elevates the risk profile for exposed network-facing Linux hosts. The vulnerability does not directly lead to privilege escalation or data leakage but can cause service interruptions, which may have cascading effects on business operations and incident response capabilities.
Mitigation Recommendations
To mitigate CVE-2024-43897, European organizations should: 1) Apply the official Linux kernel patches that address this vulnerability as soon as they become available for their specific distributions and kernel versions. 2) For virtualized environments, ensure that hypervisor and guest kernel versions are updated to include the fix, as virtio_net is commonly used in these contexts. 3) Implement network-level filtering to restrict or monitor suspicious GSO/TSO packet traffic, especially from untrusted or external sources, to reduce exposure to crafted malicious packets. 4) Employ kernel hardening and runtime security tools that can detect and prevent abnormal kernel warnings or crashes related to network packet processing. 5) Conduct thorough testing in staging environments before deploying updates to production to avoid regressions, particularly in environments with heavy network offloading. 6) Maintain robust monitoring and alerting for kernel warnings or crashes that might indicate attempted exploitation. 7) Coordinate with Linux distribution vendors and cloud providers to track patch availability and deployment status. These steps go beyond generic advice by focusing on virtualization-specific considerations, network traffic controls, and proactive monitoring tailored to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-43897: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests.
AI-Powered Analysis
Technical Analysis
CVE-2024-43897 is a vulnerability identified in the Linux kernel's network stack, specifically related to the handling of Generic Segmentation Offload (GSO) packets within the virtio_net_hdr structure. The vulnerability arises from insufficient validation of the checksum start (csum_start) and checksum offset (csum_offset) fields when processing GSO packets, particularly those using TCP Segmentation Offload (TSO). The Linux kernel function virtio_net_hdr_to_skb, responsible for converting virtio network headers to socket buffers (skb), previously checked that a checksum requested with the VIRTIO_NET_HDR_F_NEEDS_CSUM flag was within the linear portion of the skb. However, for GSO packets, this assumption does not hold for segments after segmentation, leading to potential out-of-bounds accesses or warnings triggered by skb_checksum_help. The issue was demonstrated by Syzkaller, a kernel fuzzer, which triggered warnings and kernel warnings (WARN_ON_ONCE) due to invalid checksum offsets exceeding skb_headlen. The vulnerability can be triggered by injecting malformed TSO packets with crafted checksum fields, causing the kernel to process invalid checksum offsets and potentially leading to kernel warnings or crashes. The fix involves tightening input validation by deducing the correct csum_offset from the gso_type for TSO packets, extending existing logic used for UDP Segmentation Offload (USO) packets. Additionally, the patch avoids adding new parsers by leveraging existing segmentation parsing and the SKB_GSO_DODGY flag to catch bad packets, including those with hardware offload. This approach prevents the acceptance of malformed packets that could cause instability or denial of service. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes and was publicly disclosed on August 26, 2024. No known exploits are reported in the wild at this time. The vulnerability is significant because it affects the core networking functionality of the Linux kernel, which is widely used in servers, cloud infrastructure, and embedded devices. Improper handling of network packets at this low level can lead to kernel crashes or denial of service, impacting system availability and reliability.
Potential Impact
For European organizations, the impact of CVE-2024-43897 can be substantial, especially for those relying heavily on Linux-based infrastructure for networking, cloud services, and virtualization. The vulnerability targets the virtio network driver, commonly used in virtualized environments such as KVM/QEMU, which are prevalent in data centers and cloud providers across Europe. Exploitation could lead to kernel panics or denial of service conditions, disrupting critical services and applications. This is particularly concerning for sectors like finance, telecommunications, government, and critical infrastructure, where high availability and network reliability are paramount. Additionally, organizations using Linux-based routers, firewalls, or network appliances could experience outages or degraded performance. While no known exploits exist currently, the ease of triggering the vulnerability via crafted network packets suggests that attackers with network access could potentially disrupt systems without requiring authentication. This elevates the risk profile for exposed network-facing Linux hosts. The vulnerability does not directly lead to privilege escalation or data leakage but can cause service interruptions, which may have cascading effects on business operations and incident response capabilities.
Mitigation Recommendations
To mitigate CVE-2024-43897, European organizations should: 1) Apply the official Linux kernel patches that address this vulnerability as soon as they become available for their specific distributions and kernel versions. 2) For virtualized environments, ensure that hypervisor and guest kernel versions are updated to include the fix, as virtio_net is commonly used in these contexts. 3) Implement network-level filtering to restrict or monitor suspicious GSO/TSO packet traffic, especially from untrusted or external sources, to reduce exposure to crafted malicious packets. 4) Employ kernel hardening and runtime security tools that can detect and prevent abnormal kernel warnings or crashes related to network packet processing. 5) Conduct thorough testing in staging environments before deploying updates to production to avoid regressions, particularly in environments with heavy network offloading. 6) Maintain robust monitoring and alerting for kernel warnings or crashes that might indicate attempted exploitation. 7) Coordinate with Linux distribution vendors and cloud providers to track patch availability and deployment status. These steps go beyond generic advice by focusing on virtualization-specific considerations, network traffic controls, and proactive monitoring tailored to the nature of this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.291Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0c07
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:27:32 PM
Last updated: 8/4/2025, 1:02:23 AM
Views: 15
Related Threats
CVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.