CVE-2024-56648: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid potential out-of-bound access in fill_frame_info() syzbot is able to feed a packet with 14 bytes, pretending it is a vlan one. Since fill_frame_info() is relying on skb->mac_len already, extend the check to cover this case. BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline] BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 fill_frame_info net/hsr/hsr_forward.c:709 [inline] hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606 __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434 dev_queue_xmit include/linux/netdevice.h:3168 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881 packet_alloc_skb net/packet/af_packet.c:2995 [inline] packet_snd net/packet/af_packet.c:3089 [inline] packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-56648 is a vulnerability identified in the Linux kernel's High-availability Seamless Redundancy (HSR) network subsystem, specifically within the fill_frame_info() function in net/hsr/hsr_forward.c. The issue arises due to insufficient validation of packet length when processing network packets that are crafted to appear as VLAN packets but contain only 14 bytes. The vulnerability is triggered when the kernel's skb->mac_len field, which indicates the MAC header length, is used without adequate boundary checks, leading to potential out-of-bounds memory access. This can cause the kernel to read uninitialized memory, as evidenced by Kernel Memory Sanitizer (KMSAN) reports showing uninitialized value usage in fill_frame_info and hsr_forward_skb functions. The root cause is that fill_frame_info() relies on skb->mac_len but does not extend checks to cover cases where packets are shorter than expected, allowing malformed packets to cause memory safety issues. The vulnerability is exploitable via crafted network packets sent to the affected system, potentially causing kernel crashes or undefined behavior. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes, and it has been publicly disclosed without a CVSS score or known exploits in the wild at the time of publication.
Potential Impact
For European organizations, the impact of CVE-2024-56648 can be significant, especially for those relying on Linux-based infrastructure with HSR enabled. HSR is used primarily in industrial and critical network environments requiring high availability and redundancy, such as manufacturing plants, energy grids, transportation systems, and telecommunications. Exploitation could lead to kernel crashes (denial of service), potential memory corruption, or unpredictable system behavior, which in critical environments could disrupt operations or safety systems. Although no known exploits are reported yet, the vulnerability could be leveraged by attackers with network access to send specially crafted packets to vulnerable hosts. This risk is heightened in environments where network segmentation is weak or where Linux systems are exposed to untrusted networks. Confidentiality and integrity impacts are limited as the vulnerability primarily causes memory safety issues rather than direct data leakage or privilege escalation. However, availability impact is medium to high due to potential system instability or crashes. Organizations in Europe with industrial control systems or telecommunications infrastructure running Linux kernels with HSR support should be particularly vigilant.
Mitigation Recommendations
1. Apply official Linux kernel patches that address CVE-2024-56648 as soon as they become available from trusted sources or Linux distribution vendors. 2. If immediate patching is not possible, disable HSR functionality on Linux systems unless it is strictly required, to reduce the attack surface. 3. Implement strict network segmentation and filtering to limit exposure of vulnerable Linux hosts to untrusted or external networks, especially blocking malformed or suspicious VLAN-tagged packets. 4. Monitor network traffic for anomalous packets that mimic VLAN frames with abnormal lengths, using advanced intrusion detection systems capable of deep packet inspection. 5. Employ kernel runtime security tools that can detect and prevent exploitation attempts involving malformed packets or kernel memory corruption. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service conditions caused by exploitation. 7. Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patch releases and exploit developments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2024-56648: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid potential out-of-bound access in fill_frame_info() syzbot is able to feed a packet with 14 bytes, pretending it is a vlan one. Since fill_frame_info() is relying on skb->mac_len already, extend the check to cover this case. BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline] BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 fill_frame_info net/hsr/hsr_forward.c:709 [inline] hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724 hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606 __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434 dev_queue_xmit include/linux/netdevice.h:3168 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3146 [inline] packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881 packet_alloc_skb net/packet/af_packet.c:2995 [inline] packet_snd net/packet/af_packet.c:3089 [inline] packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200 x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-56648 is a vulnerability identified in the Linux kernel's High-availability Seamless Redundancy (HSR) network subsystem, specifically within the fill_frame_info() function in net/hsr/hsr_forward.c. The issue arises due to insufficient validation of packet length when processing network packets that are crafted to appear as VLAN packets but contain only 14 bytes. The vulnerability is triggered when the kernel's skb->mac_len field, which indicates the MAC header length, is used without adequate boundary checks, leading to potential out-of-bounds memory access. This can cause the kernel to read uninitialized memory, as evidenced by Kernel Memory Sanitizer (KMSAN) reports showing uninitialized value usage in fill_frame_info and hsr_forward_skb functions. The root cause is that fill_frame_info() relies on skb->mac_len but does not extend checks to cover cases where packets are shorter than expected, allowing malformed packets to cause memory safety issues. The vulnerability is exploitable via crafted network packets sent to the affected system, potentially causing kernel crashes or undefined behavior. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes, and it has been publicly disclosed without a CVSS score or known exploits in the wild at the time of publication.
Potential Impact
For European organizations, the impact of CVE-2024-56648 can be significant, especially for those relying on Linux-based infrastructure with HSR enabled. HSR is used primarily in industrial and critical network environments requiring high availability and redundancy, such as manufacturing plants, energy grids, transportation systems, and telecommunications. Exploitation could lead to kernel crashes (denial of service), potential memory corruption, or unpredictable system behavior, which in critical environments could disrupt operations or safety systems. Although no known exploits are reported yet, the vulnerability could be leveraged by attackers with network access to send specially crafted packets to vulnerable hosts. This risk is heightened in environments where network segmentation is weak or where Linux systems are exposed to untrusted networks. Confidentiality and integrity impacts are limited as the vulnerability primarily causes memory safety issues rather than direct data leakage or privilege escalation. However, availability impact is medium to high due to potential system instability or crashes. Organizations in Europe with industrial control systems or telecommunications infrastructure running Linux kernels with HSR support should be particularly vigilant.
Mitigation Recommendations
1. Apply official Linux kernel patches that address CVE-2024-56648 as soon as they become available from trusted sources or Linux distribution vendors. 2. If immediate patching is not possible, disable HSR functionality on Linux systems unless it is strictly required, to reduce the attack surface. 3. Implement strict network segmentation and filtering to limit exposure of vulnerable Linux hosts to untrusted or external networks, especially blocking malformed or suspicious VLAN-tagged packets. 4. Monitor network traffic for anomalous packets that mimic VLAN frames with abnormal lengths, using advanced intrusion detection systems capable of deep packet inspection. 5. Employ kernel runtime security tools that can detect and prevent exploitation attempts involving malformed packets or kernel memory corruption. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service conditions caused by exploitation. 7. Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patch releases and exploit developments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.840Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd0ff
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:40:48 PM
Last updated: 7/26/2025, 5:27:13 PM
Views: 13
Related Threats
CVE-2025-8661: Vulnerability in Broadcom Symantec PGP Encryption
MediumCVE-2025-8836: Reachable Assertion in JasPer
MediumCVE-2025-8747: CWE-502 Deserialization of Untrusted Data in Google Keras
HighCVE-2025-8660: Vulnerability in Broadcom Symantec PGP Encryption
MediumCVE-2025-8835: NULL Pointer Dereference in JasPer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.