CVE-2024-49978 is a vulnerability identified in the Linux kernel's handling of UDP Generic Segmentation Offload (GSO) fraglist packets. The issue arises from improper segmentation of UDP GSO fraglist skbs (socket buffers) after modifications by optional datapath hooks such as NAT or BPF programs that invoke bpf_skb_pull_data. These hooks can alter the skb structure, breaking the expected invariants of the GSO fraglist skbs. Specifically, valid SKB_GSO_FRAGLIST skbs are expected to have two or more segments, with the head_skb containing protocol headers plus the first gso_size segment, and subsequent frag_list skbs each holding exactly one segment. When these invariants are violated, for example by pulling all data into the skb linear area, the kernel's segmentation logic can encounter corrupted skb geometry. This leads to a NULL pointer dereference in the function __udpv4_gso_segment_list_csum when it attempts to access the destination field of the UDP header in a next segment that does not exist or is malformed. The patch addresses this by detecting invalid skb geometry caused by such pulls, and instead of dropping the packet (which could cause blackholing of traffic), it converts the skb to a form that can be processed by the regular skb_segment function, which can handle these cases correctly. This fix prevents kernel crashes due to NULL pointer dereferences triggered by malformed UDP GSO fraglist packets after datapath modifications. The vulnerability affects Linux kernel versions identified by the commit hash 9fd1ff5d2ac7181844735806b0a703c942365291 and was published on October 21, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with UDP GSO enabled and using datapath features such as NAT or BPF programs that manipulate skb data. The impact is a potential denial of service (DoS) caused by kernel crashes due to NULL pointer dereferences when processing malformed UDP packets. Such crashes can disrupt network services, affecting availability of critical infrastructure, servers, or network appliances. Since Linux is widely deployed in European data centers, cloud environments, and embedded systems, the vulnerability could impact a broad range of sectors including telecommunications, finance, government, and industrial control systems. Although no remote code execution or privilege escalation is indicated, the DoS impact on network-facing systems could be leveraged by attackers to degrade service or cause outages. The risk is heightened in environments with complex network datapaths using NAT or BPF hooks, common in modern containerized or virtualized deployments. The lack of known exploits suggests limited immediate threat, but the vulnerability should be addressed promptly to prevent future exploitation attempts.

European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. In the interim, administrators can mitigate risk by auditing and limiting the use of datapath hooks such as BPF programs or NAT configurations that modify skb data, especially those that invoke bpf_skb_pull_data. Network segmentation and filtering can reduce exposure to malformed UDP packets from untrusted sources. Monitoring kernel logs for crashes or anomalies related to UDP GSO processing can help detect exploitation attempts. For environments using custom or backported kernels, recompiling with the patch or disabling UDP GSO offloading where feasible can mitigate the issue. Additionally, organizations should review and test their network datapath configurations to ensure they do not inadvertently trigger skb geometry corruption. Coordinating with Linux distribution maintainers to obtain timely patches and applying them in test environments before production deployment is recommended to avoid service disruptions.