CVE-2024-57802: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ===================================================== BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== This issue occurs because the skb buffer is too small, and it's actual allocation is aligned. This hides an actual issue, which is that nr_route_frame does not validate the buffer size before using it. Fix this issue by checking skb->len before accessing any fields in skb->data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Analysis
Technical Summary
CVE-2024-57802 is a vulnerability identified in the Linux kernel affecting the netrom networking protocol implementation, specifically within the ax25cmp function in net/ax25/ax25_addr.c. The issue arises due to improper validation of the socket buffer (skb) length before accessing its data fields, leading to an uninitialized value read. This vulnerability was discovered through fuzz testing with Syzkaller and reported by the Linux Verification Center. The root cause is that the nr_route_frame function does not verify the buffer size before use, and the skb buffer allocated is smaller than expected, causing the kernel to read uninitialized memory. This flaw can lead to undefined behavior, including potential information leakage or kernel memory corruption. The vulnerability affects Linux kernel versions around 6.7.0-rc7 and likely other versions using the netrom and ax25 networking stacks. The fix involves adding proper length checks on skb->len before accessing skb->data fields to prevent out-of-bounds reads. Although no known exploits are currently reported in the wild, the vulnerability resides in kernel networking code, which is a critical attack surface. Exploitation would require the ability to send crafted raw messages through the ieee802154 implementation, potentially requiring local or network access depending on configuration. The vulnerability does not require elevated privileges initially but may be leveraged to escalate privileges or cause denial of service via kernel crashes or memory corruption.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected versions, especially those utilizing the netrom or AX.25 networking protocols, which are often used in amateur radio, embedded systems, or specialized industrial applications. While the general Linux server and desktop environments may not commonly use netrom, embedded devices, IoT gateways, or industrial control systems running Linux with these protocols could be targeted. Exploitation could lead to kernel crashes causing denial of service or potentially allow attackers to read uninitialized kernel memory, risking leakage of sensitive information. In critical infrastructure sectors such as telecommunications, energy, or transportation where embedded Linux devices are prevalent, this vulnerability could disrupt operations or be a foothold for further attacks. Given the kernel-level nature, successful exploitation might allow privilege escalation, threatening confidentiality, integrity, and availability of affected systems. The lack of known exploits reduces immediate risk, but the vulnerability's presence in core kernel networking code warrants prompt attention in European organizations relying on Linux-based embedded or specialized networking equipment.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that the skb length validation is implemented as per the Linux kernel updates post-6.7.0-rc7. For embedded or industrial devices where kernel upgrades are challenging, organizations should: 1) Audit and identify devices using netrom or AX.25 protocols and assess exposure. 2) Restrict network access to these devices, especially limiting raw socket message sending capabilities to trusted users or systems. 3) Implement network segmentation to isolate vulnerable devices from critical network segments. 4) Monitor kernel logs for unusual skb-related errors or crashes that could indicate exploitation attempts. 5) Employ runtime security tools capable of detecting anomalous kernel memory accesses or crashes. 6) Engage with device vendors to obtain firmware updates or mitigations if direct kernel patching is not feasible. 7) Harden system configurations to minimize attack surface, including disabling unused networking protocols like netrom if not required.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy
CVE-2024-57802: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ===================================================== BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== This issue occurs because the skb buffer is too small, and it's actual allocation is aligned. This hides an actual issue, which is that nr_route_frame does not validate the buffer size before using it. Fix this issue by checking skb->len before accessing any fields in skb->data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI-Powered Analysis
Technical Analysis
CVE-2024-57802 is a vulnerability identified in the Linux kernel affecting the netrom networking protocol implementation, specifically within the ax25cmp function in net/ax25/ax25_addr.c. The issue arises due to improper validation of the socket buffer (skb) length before accessing its data fields, leading to an uninitialized value read. This vulnerability was discovered through fuzz testing with Syzkaller and reported by the Linux Verification Center. The root cause is that the nr_route_frame function does not verify the buffer size before use, and the skb buffer allocated is smaller than expected, causing the kernel to read uninitialized memory. This flaw can lead to undefined behavior, including potential information leakage or kernel memory corruption. The vulnerability affects Linux kernel versions around 6.7.0-rc7 and likely other versions using the netrom and ax25 networking stacks. The fix involves adding proper length checks on skb->len before accessing skb->data fields to prevent out-of-bounds reads. Although no known exploits are currently reported in the wild, the vulnerability resides in kernel networking code, which is a critical attack surface. Exploitation would require the ability to send crafted raw messages through the ieee802154 implementation, potentially requiring local or network access depending on configuration. The vulnerability does not require elevated privileges initially but may be leveraged to escalate privileges or cause denial of service via kernel crashes or memory corruption.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected versions, especially those utilizing the netrom or AX.25 networking protocols, which are often used in amateur radio, embedded systems, or specialized industrial applications. While the general Linux server and desktop environments may not commonly use netrom, embedded devices, IoT gateways, or industrial control systems running Linux with these protocols could be targeted. Exploitation could lead to kernel crashes causing denial of service or potentially allow attackers to read uninitialized kernel memory, risking leakage of sensitive information. In critical infrastructure sectors such as telecommunications, energy, or transportation where embedded Linux devices are prevalent, this vulnerability could disrupt operations or be a foothold for further attacks. Given the kernel-level nature, successful exploitation might allow privilege escalation, threatening confidentiality, integrity, and availability of affected systems. The lack of known exploits reduces immediate risk, but the vulnerability's presence in core kernel networking code warrants prompt attention in European organizations relying on Linux-based embedded or specialized networking equipment.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that the skb length validation is implemented as per the Linux kernel updates post-6.7.0-rc7. For embedded or industrial devices where kernel upgrades are challenging, organizations should: 1) Audit and identify devices using netrom or AX.25 protocols and assess exposure. 2) Restrict network access to these devices, especially limiting raw socket message sending capabilities to trusted users or systems. 3) Implement network segmentation to isolate vulnerable devices from critical network segments. 4) Monitor kernel logs for unusual skb-related errors or crashes that could indicate exploitation attempts. 5) Employ runtime security tools capable of detecting anomalous kernel memory accesses or crashes. 6) Engage with device vendors to obtain firmware updates or mitigations if direct kernel patching is not feasible. 7) Harden system configurations to minimize attack surface, including disabling unused networking protocols like netrom if not required.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-15T13:08:59.709Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde886
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 8:11:37 AM
Last updated: 8/15/2025, 10:02:18 AM
Views: 15
Related Threats
CVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumCVE-2025-53504: Cross-site scripting (XSS) in Intermesh BV Group-Office
MediumCVE-2025-48355: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in ProveSource LTD ProveSource Social Proof
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.