CVE-2024-46763: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) </IRQ> do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---
AI Analysis
Technical Summary
CVE-2024-46763 is a vulnerability identified in the Linux kernel's handling of the FOU (Foo-over-UDP) protocol, specifically within the Generic Receive Offload (GRO) processing path. The flaw is a null pointer dereference occurring in the fou_gro_receive() function. This happens during the shutdown of a host or teardown of a UDP tunnel socket, where the sk->sk_user_data pointer is set to NULL by udp_tunnel_sock_release() but the socket may still be referenced by in-flight packets processed by udp4_gro_receive(). The dereference of this NULL pointer leads to a kernel crash (NULL pointer dereference), causing a denial of service (DoS) condition. The vulnerability arises because the kernel does not properly check for NULL before accessing sk_user_data in the FOU GRO handlers. The patch involves using rcu_dereference_sk_user_data() and adding NULL checks to prevent this dereference. The issue was observed on Linux kernel version 5.10.216-204 and likely affects other versions with similar code. The vulnerability does not appear to have known exploits in the wild yet and no CVSS score has been assigned. The root cause is a race condition between socket teardown and packet processing in the UDP tunneling code, which can be triggered during network namespace dismantling or explicit tunnel shutdown.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems that utilize the FOU protocol or UDP tunneling features, especially in environments that use network namespaces or containerized workloads where tunnels are frequently created and destroyed. A successful exploitation would cause kernel crashes leading to system reboots or service interruptions. This can impact critical infrastructure, cloud services, and enterprise servers running Linux kernels vulnerable to this flaw. While it does not directly lead to privilege escalation or remote code execution, the resulting instability can disrupt business operations, degrade availability of network services, and potentially cause cascading failures in dependent systems. Organizations relying on Linux-based network appliances, cloud instances, or container orchestration platforms are particularly at risk. The lack of known exploits reduces immediate threat but patching is essential to prevent potential DoS attacks by malicious actors or accidental triggers during normal operations.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Apply the latest Linux kernel patches that address CVE-2024-46763 as soon as they become available from their Linux distribution vendors. 2) If immediate patching is not possible, consider disabling the FOU protocol or UDP tunneling features if they are not in use, to reduce the attack surface. 3) Monitor kernel logs for signs of fou_gro_receive() related crashes or kernel oops messages indicating null pointer dereferences. 4) In containerized or virtualized environments, carefully manage network namespace lifecycles to avoid abrupt tunnel teardowns during high traffic periods. 5) Employ kernel crash dump analysis tools to quickly diagnose and respond to any incidents caused by this vulnerability. 6) Coordinate with cloud service providers to ensure underlying infrastructure is patched if using managed Linux instances. These steps go beyond generic advice by focusing on the specific protocol and kernel subsystem involved and operational practices to minimize exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy
CVE-2024-46763: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) </IRQ> do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-46763 is a vulnerability identified in the Linux kernel's handling of the FOU (Foo-over-UDP) protocol, specifically within the Generic Receive Offload (GRO) processing path. The flaw is a null pointer dereference occurring in the fou_gro_receive() function. This happens during the shutdown of a host or teardown of a UDP tunnel socket, where the sk->sk_user_data pointer is set to NULL by udp_tunnel_sock_release() but the socket may still be referenced by in-flight packets processed by udp4_gro_receive(). The dereference of this NULL pointer leads to a kernel crash (NULL pointer dereference), causing a denial of service (DoS) condition. The vulnerability arises because the kernel does not properly check for NULL before accessing sk_user_data in the FOU GRO handlers. The patch involves using rcu_dereference_sk_user_data() and adding NULL checks to prevent this dereference. The issue was observed on Linux kernel version 5.10.216-204 and likely affects other versions with similar code. The vulnerability does not appear to have known exploits in the wild yet and no CVSS score has been assigned. The root cause is a race condition between socket teardown and packet processing in the UDP tunneling code, which can be triggered during network namespace dismantling or explicit tunnel shutdown.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems that utilize the FOU protocol or UDP tunneling features, especially in environments that use network namespaces or containerized workloads where tunnels are frequently created and destroyed. A successful exploitation would cause kernel crashes leading to system reboots or service interruptions. This can impact critical infrastructure, cloud services, and enterprise servers running Linux kernels vulnerable to this flaw. While it does not directly lead to privilege escalation or remote code execution, the resulting instability can disrupt business operations, degrade availability of network services, and potentially cause cascading failures in dependent systems. Organizations relying on Linux-based network appliances, cloud instances, or container orchestration platforms are particularly at risk. The lack of known exploits reduces immediate threat but patching is essential to prevent potential DoS attacks by malicious actors or accidental triggers during normal operations.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Apply the latest Linux kernel patches that address CVE-2024-46763 as soon as they become available from their Linux distribution vendors. 2) If immediate patching is not possible, consider disabling the FOU protocol or UDP tunneling features if they are not in use, to reduce the attack surface. 3) Monitor kernel logs for signs of fou_gro_receive() related crashes or kernel oops messages indicating null pointer dereferences. 4) In containerized or virtualized environments, carefully manage network namespace lifecycles to avoid abrupt tunnel teardowns during high traffic periods. 5) Employ kernel crash dump analysis tools to quickly diagnose and respond to any incidents caused by this vulnerability. 6) Coordinate with cloud service providers to ensure underlying infrastructure is patched if using managed Linux instances. These steps go beyond generic advice by focusing on the specific protocol and kernel subsystem involved and operational practices to minimize exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.272Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe1200
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 1:25:24 AM
Last updated: 8/18/2025, 8:41:30 AM
Views: 13
Related Threats
CVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumCVE-2025-8364: Address bar spoofing using an blob URI on Firefox for Android in Mozilla Firefox
HighCVE-2025-8042: Sandboxed iframe could start downloads in Mozilla Firefox
HighCVE-2025-8041: Incorrect URL truncation in Firefox for Android in Mozilla Firefox
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.