CVE-2024-50045: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: fix panic with metadata_dst skb Fix a kernel panic in the br_netfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in br_nf_dev_queue_xmit. It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded When forwarding the untagged packet to the VxLAN bridge port, before the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check for frames that needs to be fragmented: frames with higher MTU than the VxLAN device end up calling br_nf_ip_fragment, which in turns call ip_skb_dst_mtu. The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst with valid dst->dev, thus the crash. This case was never supported in the first place, so drop the packet instead. PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. [ 176.291791] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110 [ 176.292101] Mem abort info: [ 176.292184] ESR = 0x0000000096000004 [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits [ 176.292530] SET = 0, FnV = 0 [ 176.292709] EA = 0, S1PTW = 0 [ 176.292862] FSC = 0x04: level 0 translation fault [ 176.293013] Data abort info: [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 [ 176.294166] [0000000000000110] pgd=0000000000000000, p4d=0000000000000000 [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth br_netfilter bridge stp llc ipv6 crct10dif_ce [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted 6.8.0-rc3-g5b3fbd61b9d1 #2 [ 176.296314] Hardware name: linux,dummy-virt (DT) [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] [ 176.297636] sp : ffff800080003630 [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: ffff6828c49ad9f8 [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: 00000000000003e8 [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: ffff6828c3b16d28 [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: 0000000000000014 [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: 0000000095744632 [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: ffffb7e137926a70 [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : 0000000000000000 [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : f20e0100bebafeca [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : 0000000000000000 [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : ffff6828c7f918f0 [ 176.300889] Call trace: [ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] [ 176.301703] nf_hook_slow+0x48/0x124 [ 176.302060] br_forward_finish+0xc8/0xe8 [bridge] [ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter] [ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter] [ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter] [ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter] [ 176.303359] nf_hook_slow+0x48/0x124 [ 176.303 ---truncated---
AI Analysis
Technical Summary
CVE-2024-50045 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the br_netfilter module that handles network bridging and filtering. The issue arises when untagged traffic is sent via a VxLAN (Virtual Extensible LAN) device that is part of a network bridge. The vulnerability is triggered under a specific set of conditions: the br_netfilter module must be loaded, the sysctl parameter net.bridge.bridge-nf-call-iptables must be set to 1, a bridge must include a VxLAN netdevice as a bridge port, and untagged frames larger than the VxLAN MTU are forwarded or flooded. When these conditions are met, the kernel attempts to process packets by calling br_handle_egress_vlan_tunnel, which changes the skb_dst (socket buffer destination) to a tunnel destination of metadata type. This metadata destination lacks a valid device pointer (dst->dev is NULL), which is not handled properly. Subsequently, during fragmentation checks in br_nf_dev_queue_xmit, the kernel calls ip_skb_dst_mtu, which assumes skb_dst is valid and attempts to access dst->dev, leading to a NULL pointer dereference and kernel panic. This results in a denial of service (DoS) condition as the kernel crashes. The vulnerability is rooted in unsupported behavior—forwarding untagged packets larger than the VxLAN MTU through the bridge. The fix implemented drops such packets instead of processing them, preventing the panic. The vulnerability does not appear to have known exploits in the wild yet and affects Linux kernel versions identified by the commit hash 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd and similar builds. The issue is technical and specific to network configurations involving VxLAN bridging with netfilter enabled for iptables processing.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments using Linux-based network infrastructure with advanced bridging and tunneling configurations, such as data centers, cloud providers, and enterprises deploying VxLAN for network virtualization. A successful trigger of this vulnerability causes a kernel panic, resulting in system crashes and denial of service. This can disrupt critical network services, impacting availability of applications, virtual machines, or containerized workloads relying on these Linux hosts. Organizations using Linux as routers, firewalls, or network bridges with netfilter enabled and VxLAN bridging are particularly at risk. The impact is heightened in environments where high availability is critical, such as financial institutions, telecommunications, and public sector infrastructure. Although exploitation requires specific network configurations and conditions, the widespread use of Linux in European IT infrastructure means that many organizations could be affected if they use these features. The lack of known exploits reduces immediate risk, but the vulnerability's nature means attackers could cause service outages or disrupt network connectivity if exploited.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Immediately update Linux kernel versions to the patched releases that address CVE-2024-50045. Monitor vendor advisories for distributions used (e.g., Debian, Ubuntu, Red Hat, SUSE) to apply official patches. 2) Audit network configurations to identify bridges with VxLAN devices and verify if net.bridge.bridge-nf-call-iptables is enabled. If possible, temporarily disable this sysctl setting or unload the br_netfilter module until patches are applied. 3) Implement network segmentation and traffic filtering to prevent untagged large packets from reaching vulnerable bridge ports, reducing the attack surface. 4) Monitor kernel logs for signs of br_netfilter panics or crashes to detect potential exploitation attempts. 5) For critical systems, consider deploying redundancy and failover mechanisms to mitigate impact of potential kernel panics. 6) Engage with Linux distribution security teams and maintain awareness of further updates or related vulnerabilities in the netfilter and VxLAN subsystems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-50045: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: fix panic with metadata_dst skb Fix a kernel panic in the br_netfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in br_nf_dev_queue_xmit. It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded When forwarding the untagged packet to the VxLAN bridge port, before the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check for frames that needs to be fragmented: frames with higher MTU than the VxLAN device end up calling br_nf_ip_fragment, which in turns call ip_skb_dst_mtu. The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst with valid dst->dev, thus the crash. This case was never supported in the first place, so drop the packet instead. PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. [ 176.291791] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110 [ 176.292101] Mem abort info: [ 176.292184] ESR = 0x0000000096000004 [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits [ 176.292530] SET = 0, FnV = 0 [ 176.292709] EA = 0, S1PTW = 0 [ 176.292862] FSC = 0x04: level 0 translation fault [ 176.293013] Data abort info: [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 [ 176.294166] [0000000000000110] pgd=0000000000000000, p4d=0000000000000000 [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth br_netfilter bridge stp llc ipv6 crct10dif_ce [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted 6.8.0-rc3-g5b3fbd61b9d1 #2 [ 176.296314] Hardware name: linux,dummy-virt (DT) [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] [ 176.297636] sp : ffff800080003630 [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: ffff6828c49ad9f8 [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: 00000000000003e8 [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: ffff6828c3b16d28 [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: 0000000000000014 [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: 0000000095744632 [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: ffffb7e137926a70 [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : 0000000000000000 [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : f20e0100bebafeca [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : 0000000000000000 [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : ffff6828c7f918f0 [ 176.300889] Call trace: [ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] [ 176.301703] nf_hook_slow+0x48/0x124 [ 176.302060] br_forward_finish+0xc8/0xe8 [bridge] [ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter] [ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter] [ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter] [ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter] [ 176.303359] nf_hook_slow+0x48/0x124 [ 176.303 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50045 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the br_netfilter module that handles network bridging and filtering. The issue arises when untagged traffic is sent via a VxLAN (Virtual Extensible LAN) device that is part of a network bridge. The vulnerability is triggered under a specific set of conditions: the br_netfilter module must be loaded, the sysctl parameter net.bridge.bridge-nf-call-iptables must be set to 1, a bridge must include a VxLAN netdevice as a bridge port, and untagged frames larger than the VxLAN MTU are forwarded or flooded. When these conditions are met, the kernel attempts to process packets by calling br_handle_egress_vlan_tunnel, which changes the skb_dst (socket buffer destination) to a tunnel destination of metadata type. This metadata destination lacks a valid device pointer (dst->dev is NULL), which is not handled properly. Subsequently, during fragmentation checks in br_nf_dev_queue_xmit, the kernel calls ip_skb_dst_mtu, which assumes skb_dst is valid and attempts to access dst->dev, leading to a NULL pointer dereference and kernel panic. This results in a denial of service (DoS) condition as the kernel crashes. The vulnerability is rooted in unsupported behavior—forwarding untagged packets larger than the VxLAN MTU through the bridge. The fix implemented drops such packets instead of processing them, preventing the panic. The vulnerability does not appear to have known exploits in the wild yet and affects Linux kernel versions identified by the commit hash 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd and similar builds. The issue is technical and specific to network configurations involving VxLAN bridging with netfilter enabled for iptables processing.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments using Linux-based network infrastructure with advanced bridging and tunneling configurations, such as data centers, cloud providers, and enterprises deploying VxLAN for network virtualization. A successful trigger of this vulnerability causes a kernel panic, resulting in system crashes and denial of service. This can disrupt critical network services, impacting availability of applications, virtual machines, or containerized workloads relying on these Linux hosts. Organizations using Linux as routers, firewalls, or network bridges with netfilter enabled and VxLAN bridging are particularly at risk. The impact is heightened in environments where high availability is critical, such as financial institutions, telecommunications, and public sector infrastructure. Although exploitation requires specific network configurations and conditions, the widespread use of Linux in European IT infrastructure means that many organizations could be affected if they use these features. The lack of known exploits reduces immediate risk, but the vulnerability's nature means attackers could cause service outages or disrupt network connectivity if exploited.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Immediately update Linux kernel versions to the patched releases that address CVE-2024-50045. Monitor vendor advisories for distributions used (e.g., Debian, Ubuntu, Red Hat, SUSE) to apply official patches. 2) Audit network configurations to identify bridges with VxLAN devices and verify if net.bridge.bridge-nf-call-iptables is enabled. If possible, temporarily disable this sysctl setting or unload the br_netfilter module until patches are applied. 3) Implement network segmentation and traffic filtering to prevent untagged large packets from reaching vulnerable bridge ports, reducing the attack surface. 4) Monitor kernel logs for signs of br_netfilter panics or crashes to detect potential exploitation attempts. 5) For critical systems, consider deploying redundancy and failover mechanisms to mitigate impact of potential kernel panics. 6) Engage with Linux distribution security teams and maintain awareness of further updates or related vulnerabilities in the netfilter and VxLAN subsystems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.071Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfdb2
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 4:40:49 PM
Last updated: 8/16/2025, 9:28:22 AM
Views: 13
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.