CVE-2024-56636: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: geneve: do not assume mac header is set in geneve_xmit_skb() We should not assume mac header is set in output path. Use skb_eth_hdr() instead of eth_hdr() to fix the issue. sysbot reported the following : WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Modules linked in: CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline] RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline] RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline] RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283 RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000 RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003 RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000 R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23 FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490 dev_direct_xmit include/linux/netdevice.h:3181 [inline] packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x488/0x4f0 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-56636 is a vulnerability identified in the Linux kernel's Geneve (Generic Network Virtualization Encapsulation) driver, specifically in the function geneve_xmit_skb(). The issue arises because the code incorrectly assumes that the MAC header is always set in the output path when transmitting packets. The vulnerability is due to the use of eth_hdr() which expects the MAC header to be set, whereas the correct approach is to use skb_eth_hdr(), which safely handles cases where the MAC header may not be set. This incorrect assumption can lead to kernel warnings and potentially undefined behavior or memory corruption during packet transmission. The vulnerability was discovered and reported by sysbot, with kernel warnings indicating improper access to the MAC header in the sk_buff structure. The problem manifests in the network device transmission path, affecting the Geneve tunneling driver, which is used for network virtualization and overlay networks. The vulnerability is present in Linux kernel version 6.12.0-syzkaller-10296-gaaf20f870da0 and likely other versions around this release. No public exploits are known at this time, and no CVSS score has been assigned yet. The root cause is a programming error in handling packet headers, which could lead to kernel instability or crashes if exploited. The patch involves replacing eth_hdr() calls with skb_eth_hdr() to ensure safe access to the MAC header. Given the nature of the vulnerability, it affects systems using the Geneve driver for network virtualization, which is common in cloud environments and data centers running Linux-based virtualized infrastructure.
Potential Impact
For European organizations, the impact of CVE-2024-56636 could be significant in environments that rely heavily on Linux-based network virtualization, such as cloud service providers, telecommunications companies, and enterprises using private clouds or container orchestration platforms like Kubernetes with overlay networks. Exploitation could lead to kernel crashes or denial of service conditions, disrupting network connectivity and availability of critical services. This could affect data centers, cloud infrastructure, and virtualized network functions (VNFs) that use Geneve tunnels for encapsulating network traffic. Although no known exploits exist yet, the vulnerability could be leveraged by attackers with local access or through crafted network packets to cause instability or potentially escalate privileges if combined with other vulnerabilities. The confidentiality and integrity of data are less likely to be directly impacted, but availability and reliability of network services could be compromised, leading to operational disruptions and potential financial losses. Organizations in Europe with critical infrastructure or cloud deployments should prioritize patching to avoid service interruptions and maintain compliance with cybersecurity regulations such as the NIS Directive and GDPR, which emphasize the protection of network and information systems.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernel versions around 6.12 or those using the Geneve driver for network virtualization. 2) Apply the official Linux kernel patches that replace eth_hdr() with skb_eth_hdr() in the geneve_xmit_skb() function as soon as they become available from trusted Linux distributions or kernel maintainers. 3) For environments where immediate patching is not feasible, consider disabling Geneve tunneling temporarily if it is not critical to operations, or restrict access to systems that handle Geneve traffic to trusted administrators only. 4) Monitor kernel logs for warnings related to skb_mac_header or eth_hdr usage in geneve_xmit_skb(), which could indicate attempts to trigger the vulnerability. 5) Implement network segmentation and strict access controls to limit exposure of vulnerable systems to untrusted networks or users. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Engage with Linux distribution vendors for timely updates and verify kernel versions post-update to confirm the patch is applied. These steps go beyond generic advice by focusing on the specific driver and kernel function affected, emphasizing monitoring and operational controls relevant to European organizations' infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium, Italy, Spain
CVE-2024-56636: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: geneve: do not assume mac header is set in geneve_xmit_skb() We should not assume mac header is set in output path. Use skb_eth_hdr() instead of eth_hdr() to fix the issue. sysbot reported the following : WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline] WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Modules linked in: CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline] RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline] RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline] RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039 Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283 RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000 RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003 RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000 R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23 FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490 dev_direct_xmit include/linux/netdevice.h:3181 [inline] packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x488/0x4f0 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-56636 is a vulnerability identified in the Linux kernel's Geneve (Generic Network Virtualization Encapsulation) driver, specifically in the function geneve_xmit_skb(). The issue arises because the code incorrectly assumes that the MAC header is always set in the output path when transmitting packets. The vulnerability is due to the use of eth_hdr() which expects the MAC header to be set, whereas the correct approach is to use skb_eth_hdr(), which safely handles cases where the MAC header may not be set. This incorrect assumption can lead to kernel warnings and potentially undefined behavior or memory corruption during packet transmission. The vulnerability was discovered and reported by sysbot, with kernel warnings indicating improper access to the MAC header in the sk_buff structure. The problem manifests in the network device transmission path, affecting the Geneve tunneling driver, which is used for network virtualization and overlay networks. The vulnerability is present in Linux kernel version 6.12.0-syzkaller-10296-gaaf20f870da0 and likely other versions around this release. No public exploits are known at this time, and no CVSS score has been assigned yet. The root cause is a programming error in handling packet headers, which could lead to kernel instability or crashes if exploited. The patch involves replacing eth_hdr() calls with skb_eth_hdr() to ensure safe access to the MAC header. Given the nature of the vulnerability, it affects systems using the Geneve driver for network virtualization, which is common in cloud environments and data centers running Linux-based virtualized infrastructure.
Potential Impact
For European organizations, the impact of CVE-2024-56636 could be significant in environments that rely heavily on Linux-based network virtualization, such as cloud service providers, telecommunications companies, and enterprises using private clouds or container orchestration platforms like Kubernetes with overlay networks. Exploitation could lead to kernel crashes or denial of service conditions, disrupting network connectivity and availability of critical services. This could affect data centers, cloud infrastructure, and virtualized network functions (VNFs) that use Geneve tunnels for encapsulating network traffic. Although no known exploits exist yet, the vulnerability could be leveraged by attackers with local access or through crafted network packets to cause instability or potentially escalate privileges if combined with other vulnerabilities. The confidentiality and integrity of data are less likely to be directly impacted, but availability and reliability of network services could be compromised, leading to operational disruptions and potential financial losses. Organizations in Europe with critical infrastructure or cloud deployments should prioritize patching to avoid service interruptions and maintain compliance with cybersecurity regulations such as the NIS Directive and GDPR, which emphasize the protection of network and information systems.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernel versions around 6.12 or those using the Geneve driver for network virtualization. 2) Apply the official Linux kernel patches that replace eth_hdr() with skb_eth_hdr() in the geneve_xmit_skb() function as soon as they become available from trusted Linux distributions or kernel maintainers. 3) For environments where immediate patching is not feasible, consider disabling Geneve tunneling temporarily if it is not critical to operations, or restrict access to systems that handle Geneve traffic to trusted administrators only. 4) Monitor kernel logs for warnings related to skb_mac_header or eth_hdr usage in geneve_xmit_skb(), which could indicate attempts to trigger the vulnerability. 5) Implement network segmentation and strict access controls to limit exposure of vulnerable systems to untrusted networks or users. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Engage with Linux distribution vendors for timely updates and verify kernel versions post-update to confirm the patch is applied. These steps go beyond generic advice by focusing on the specific driver and kernel function affected, emphasizing monitoring and operational controls relevant to European organizations' infrastructure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.839Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde40d
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:26:07 AM
Last updated: 8/4/2025, 7:00:40 AM
Views: 12
Related Threats
CVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-54992: CWE-611: Improper Restriction of XML External Entity Reference in telstra open-kilda
MediumCVE-2025-55012: CWE-288: Authentication Bypass Using an Alternate Path or Channel in zed-industries zed
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.