CVE-2024-56372: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: tun: fix tun_napi_alloc_frags() syzbot reported the following crash [1] Issue came with the blamed commit. Instead of going through all the iov components, we keep using the first one and end up with a malformed skb. [1] kernel BUG at net/core/skbuff.c:2849 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80 FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284 tipc_aead_decrypt net/tipc/crypto.c:894 [inline] tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844 tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109 tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668 __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline] __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x2b5/0x870 net/core/dev.c:6256 napi_complete include/linux/netdevice.h:567 [inline] tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_writev+0x1b6/0x360 fs/read_write.c:1096 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-56372 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the TUN (network tunnel) driver code. The issue arises from improper handling in the function tun_napi_alloc_frags(), where the code erroneously continues to use only the first iovec component instead of iterating through all components. This leads to the creation of a malformed socket buffer (skb), which is a fundamental data structure used for packet handling in the Linux kernel networking stack. The malformed skb triggers a kernel BUG due to an invalid opcode encountered in __pskb_pull_tail(), a function responsible for managing skb data buffers. The crash details indicate a kernel panic with an invalid opcode exception, which can lead to a denial of service (DoS) by crashing the kernel or causing instability. The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, and affects Linux kernel version 6.13.0-rc1 and potentially other versions containing the flawed commit. The vulnerability does not appear to require user interaction or authentication to be triggered, as it occurs in the network packet processing path. The affected code path involves TUN device write operations, which are commonly used for virtual network interfaces, VPNs, and container networking. Although no known exploits are reported in the wild, the vulnerability represents a serious risk due to its potential to cause kernel crashes and disrupt network services. The lack of a CVSS score suggests it is a newly published issue, and the technical details imply a medium to high severity impact due to kernel-level denial of service and potential for broader system instability.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected versions, especially those utilizing TUN devices for VPNs, container networking, or virtualized environments. The impact includes potential denial of service conditions caused by kernel panics, which can disrupt critical network services, cloud infrastructure, and container orchestration platforms. Organizations relying on Linux-based servers, cloud instances, or network appliances that use TUN interfaces could experience service outages or degraded performance. This is particularly critical for sectors such as finance, healthcare, telecommunications, and government services where network availability and stability are paramount. Additionally, the vulnerability could be leveraged in targeted attacks to cause persistent system crashes, complicating incident response and recovery. While no evidence of exploitation in the wild currently exists, the ease of triggering a kernel panic through malformed network packets makes it a plausible vector for attackers aiming to disrupt services or conduct denial of service attacks against European enterprises and public sector infrastructure.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that fix the tun_napi_alloc_frags() function to ensure proper handling of iovec components and prevent malformed skb creation. Monitor Linux kernel mailing lists and vendor advisories for updated stable releases containing the fix. 2. Kernel version management: Maintain strict control over kernel versions in production environments, avoiding use of release candidates or unpatched kernels. 3. Network filtering: Implement ingress filtering on network interfaces to restrict malformed or suspicious packets that could trigger the vulnerability, especially on interfaces exposed to untrusted networks. 4. Limit TUN device exposure: Restrict access to TUN devices to trusted users and processes only, using Linux capabilities and access control mechanisms to reduce attack surface. 5. Monitoring and alerting: Deploy kernel crash monitoring tools and log analysis to detect early signs of exploitation attempts or instability related to this vulnerability. 6. Incident response readiness: Prepare for potential denial of service incidents by having recovery procedures and backups in place to minimize downtime. 7. Container and virtualization security: For environments using containers or virtual machines relying on TUN interfaces, ensure host kernels are patched and container runtimes are configured to minimize exposure to untrusted network traffic.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2024-56372: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: tun: fix tun_napi_alloc_frags() syzbot reported the following crash [1] Issue came with the blamed commit. Instead of going through all the iov components, we keep using the first one and end up with a malformed skb. [1] kernel BUG at net/core/skbuff.c:2849 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80 FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284 tipc_aead_decrypt net/tipc/crypto.c:894 [inline] tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844 tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109 tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668 __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline] __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x2b5/0x870 net/core/dev.c:6256 napi_complete include/linux/netdevice.h:567 [inline] tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_writev+0x1b6/0x360 fs/read_write.c:1096 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-56372 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the TUN (network tunnel) driver code. The issue arises from improper handling in the function tun_napi_alloc_frags(), where the code erroneously continues to use only the first iovec component instead of iterating through all components. This leads to the creation of a malformed socket buffer (skb), which is a fundamental data structure used for packet handling in the Linux kernel networking stack. The malformed skb triggers a kernel BUG due to an invalid opcode encountered in __pskb_pull_tail(), a function responsible for managing skb data buffers. The crash details indicate a kernel panic with an invalid opcode exception, which can lead to a denial of service (DoS) by crashing the kernel or causing instability. The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, and affects Linux kernel version 6.13.0-rc1 and potentially other versions containing the flawed commit. The vulnerability does not appear to require user interaction or authentication to be triggered, as it occurs in the network packet processing path. The affected code path involves TUN device write operations, which are commonly used for virtual network interfaces, VPNs, and container networking. Although no known exploits are reported in the wild, the vulnerability represents a serious risk due to its potential to cause kernel crashes and disrupt network services. The lack of a CVSS score suggests it is a newly published issue, and the technical details imply a medium to high severity impact due to kernel-level denial of service and potential for broader system instability.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected versions, especially those utilizing TUN devices for VPNs, container networking, or virtualized environments. The impact includes potential denial of service conditions caused by kernel panics, which can disrupt critical network services, cloud infrastructure, and container orchestration platforms. Organizations relying on Linux-based servers, cloud instances, or network appliances that use TUN interfaces could experience service outages or degraded performance. This is particularly critical for sectors such as finance, healthcare, telecommunications, and government services where network availability and stability are paramount. Additionally, the vulnerability could be leveraged in targeted attacks to cause persistent system crashes, complicating incident response and recovery. While no evidence of exploitation in the wild currently exists, the ease of triggering a kernel panic through malformed network packets makes it a plausible vector for attackers aiming to disrupt services or conduct denial of service attacks against European enterprises and public sector infrastructure.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that fix the tun_napi_alloc_frags() function to ensure proper handling of iovec components and prevent malformed skb creation. Monitor Linux kernel mailing lists and vendor advisories for updated stable releases containing the fix. 2. Kernel version management: Maintain strict control over kernel versions in production environments, avoiding use of release candidates or unpatched kernels. 3. Network filtering: Implement ingress filtering on network interfaces to restrict malformed or suspicious packets that could trigger the vulnerability, especially on interfaces exposed to untrusted networks. 4. Limit TUN device exposure: Restrict access to TUN devices to trusted users and processes only, using Linux capabilities and access control mechanisms to reduce attack surface. 5. Monitoring and alerting: Deploy kernel crash monitoring tools and log analysis to detect early signs of exploitation attempts or instability related to this vulnerability. 6. Incident response readiness: Prepare for potential denial of service incidents by having recovery procedures and backups in place to minimize downtime. 7. Container and virtualization security: For environments using containers or virtual machines relying on TUN interfaces, ensure host kernels are patched and container runtimes are configured to minimize exposure to untrusted network traffic.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T12:34:02.635Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdf13a
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 11:26:13 AM
Last updated: 8/5/2025, 6:53:12 PM
Views: 12
Related Threats
CVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.