CVE-2024-49949: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---
AI Analysis
Technical Summary
CVE-2024-49949 is a vulnerability in the Linux kernel's networking subsystem, specifically related to the handling of Generic Segmentation Offload (GSO) packets with UDP Fragmentation Offload (UFO). The issue arises in the function qdisc_pkt_len_init(), which estimates packet lengths for queuing disciplines. A prior kernel commit introduced a sanity check in virtio_net_hdr_to_skb() to detect malformed GSO packets from user space. However, a subsequent commit inadvertently allowed user space to craft a malicious GSO packet characterized by an IPv4 SKB_GSO_UDP with a gso_size of 3 and skb->len of 28 bytes. This crafted packet causes hdr_len (header length) to equal skb->len, leading to a calculation where gso_segs (number of GSO segments) becomes zero. Later, qdisc_skb_cb(skb)->pkt_len is set based on (gso_segs - 1) * hdr_len, resulting in a negative or zero value that causes a NULL pointer dereference and kernel crash in the fq_codel queuing discipline. The crash manifests as a kernel oops with a supervisor read access fault, indicating a denial-of-service condition. The vulnerability is triggered by malformed packets originating from user space, exploiting insufficient validation in packet length calculations. The patch fixes this by adding proper sanity checks to prevent underflow and invalid gso_segs values, thus avoiding kernel crashes. This vulnerability affects multiple recent Linux kernel versions as identified by specific commit hashes and is relevant to environments using virtio networking and fq_codel queuing. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing virtualized environments with virtio network drivers or relying on fq_codel for traffic shaping. Exploitation can lead to kernel crashes causing denial-of-service (DoS), disrupting critical network services, virtual machines, or containerized workloads. This can impact data center operations, cloud service providers, and enterprises with Linux-based infrastructure. The vulnerability does not appear to allow privilege escalation or remote code execution but can cause service outages and potential operational downtime. Organizations in sectors such as finance, telecommunications, healthcare, and government, which rely heavily on stable Linux networking stacks, could face operational disruptions. The impact is heightened in multi-tenant cloud environments where malicious users might craft packets to disrupt shared infrastructure. However, exploitation requires local user space access to send crafted packets, limiting remote exploitation but still significant in shared or multi-user systems.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, ensuring all affected commit hashes are superseded by secure releases. Specifically, kernel updates that include fixes for qdisc_pkt_len_init() and virtio_net_hdr_to_skb() should be applied promptly. For environments using virtual machines with virtio networking, ensure hypervisor and guest OS kernels are both updated. Network administrators should implement strict network segmentation and access controls to limit untrusted user space packet injection, especially in multi-tenant or shared hosting environments. Monitoring kernel logs for signs of fq_codel crashes or oops messages can help detect attempted exploitation. Additionally, consider disabling or restricting the use of UFO and GSO features if not required, as a temporary mitigation. Employing kernel hardening features such as KASLR, kernel lockdown, and seccomp can reduce attack surface. Finally, coordinate with Linux distribution vendors for timely patch deployment and verify kernel versions across all critical infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-49949: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-49949 is a vulnerability in the Linux kernel's networking subsystem, specifically related to the handling of Generic Segmentation Offload (GSO) packets with UDP Fragmentation Offload (UFO). The issue arises in the function qdisc_pkt_len_init(), which estimates packet lengths for queuing disciplines. A prior kernel commit introduced a sanity check in virtio_net_hdr_to_skb() to detect malformed GSO packets from user space. However, a subsequent commit inadvertently allowed user space to craft a malicious GSO packet characterized by an IPv4 SKB_GSO_UDP with a gso_size of 3 and skb->len of 28 bytes. This crafted packet causes hdr_len (header length) to equal skb->len, leading to a calculation where gso_segs (number of GSO segments) becomes zero. Later, qdisc_skb_cb(skb)->pkt_len is set based on (gso_segs - 1) * hdr_len, resulting in a negative or zero value that causes a NULL pointer dereference and kernel crash in the fq_codel queuing discipline. The crash manifests as a kernel oops with a supervisor read access fault, indicating a denial-of-service condition. The vulnerability is triggered by malformed packets originating from user space, exploiting insufficient validation in packet length calculations. The patch fixes this by adding proper sanity checks to prevent underflow and invalid gso_segs values, thus avoiding kernel crashes. This vulnerability affects multiple recent Linux kernel versions as identified by specific commit hashes and is relevant to environments using virtio networking and fq_codel queuing. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing virtualized environments with virtio network drivers or relying on fq_codel for traffic shaping. Exploitation can lead to kernel crashes causing denial-of-service (DoS), disrupting critical network services, virtual machines, or containerized workloads. This can impact data center operations, cloud service providers, and enterprises with Linux-based infrastructure. The vulnerability does not appear to allow privilege escalation or remote code execution but can cause service outages and potential operational downtime. Organizations in sectors such as finance, telecommunications, healthcare, and government, which rely heavily on stable Linux networking stacks, could face operational disruptions. The impact is heightened in multi-tenant cloud environments where malicious users might craft packets to disrupt shared infrastructure. However, exploitation requires local user space access to send crafted packets, limiting remote exploitation but still significant in shared or multi-user systems.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, ensuring all affected commit hashes are superseded by secure releases. Specifically, kernel updates that include fixes for qdisc_pkt_len_init() and virtio_net_hdr_to_skb() should be applied promptly. For environments using virtual machines with virtio networking, ensure hypervisor and guest OS kernels are both updated. Network administrators should implement strict network segmentation and access controls to limit untrusted user space packet injection, especially in multi-tenant or shared hosting environments. Monitoring kernel logs for signs of fq_codel crashes or oops messages can help detect attempted exploitation. Additionally, consider disabling or restricting the use of UFO and GSO features if not required, as a temporary mitigation. Employing kernel hardening features such as KASLR, kernel lockdown, and seccomp can reduce attack surface. Finally, coordinate with Linux distribution vendors for timely patch deployment and verify kernel versions across all critical infrastructure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.046Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdceac
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 9:41:31 PM
Last updated: 8/11/2025, 2:23:58 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.