CVE-2024-58099

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-58099
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-58099.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-58099
Downstream
Related
Published
2025-04-29T11:45:30Z
Modified
2025-10-17T20:27:35.867748Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame
Details

In the Linux kernel, the following vulnerability has been resolved:

vmxnet3: Fix packet corruption in vmxnet3xdpxmit_frame

Andrew and Nikolay reported connectivity issues with Cilium's service load-balancing in case of vmxnet3.

If a BPF program for native XDP adds an encapsulation header such as IPIP and transmits the packet out the same interface, then in case of vmxnet3 a corrupted packet is being sent and subsequently dropped on the path.

vmxnet3xdpxmitframe() which is called e.g. via vmxnet3runxdp() through vmxnet3xdpxmitback() calculates an incorrect DMA address:

page = virttopage(xdpf->data); tbi->dmaaddr = pagepoolgetdmaaddr(page) + VMXNET3XDPHEADROOM; dmasyncsinglefordevice(&adapter->pdev->dev, tbi->dmaaddr, bufsize, DMATO_DEVICE);

The above assumes a fixed offset (VMXNET3XDPHEADROOM), but the XDP BPF program could have moved xdp->data. While the passed bufsize is correct (xdpf->len), the dmaaddr needs to have a dynamic offset which can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data - xdp->datahardstart.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54f00cce11786742bd11e5e68c3bf85e6dc048c9
Fixed
59ba6cdadb9c26b606a365eb9c9b25eb2052622d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54f00cce11786742bd11e5e68c3bf85e6dc048c9
Fixed
f82eb34fb59a8fb96c19f4f492c20eb774140bb5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54f00cce11786742bd11e5e68c3bf85e6dc048c9
Fixed
4678adf94da4a9e9683817b246b58ce15fb81782

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.12-rc1
v6.12-rc2
v6.5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "id": "CVE-2024-58099-0ef72282",
        "target": {
            "file": "drivers/net/vmxnet3/vmxnet3_xdp.c",
            "function": "vmxnet3_xdp_xmit_frame"
        },
        "digest": {
            "function_hash": "189103514053881328176295447121801742054",
            "length": 1928.0
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59ba6cdadb9c26b606a365eb9c9b25eb2052622d",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-58099-1d486e87",
        "target": {
            "file": "drivers/net/vmxnet3/vmxnet3_xdp.c"
        },
        "digest": {
            "line_hashes": [
                "154023746051445038782189032457183483897",
                "108790156452847514671703074574513512780",
                "135550734491142269327298463611528500827",
                "100142000425946100751689489520399371498"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4678adf94da4a9e9683817b246b58ce15fb81782",
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-58099-31542202",
        "target": {
            "file": "drivers/net/vmxnet3/vmxnet3_xdp.c",
            "function": "vmxnet3_xdp_xmit_frame"
        },
        "digest": {
            "function_hash": "189103514053881328176295447121801742054",
            "length": 1928.0
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f82eb34fb59a8fb96c19f4f492c20eb774140bb5",
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-58099-7665c438",
        "target": {
            "file": "drivers/net/vmxnet3/vmxnet3_xdp.c",
            "function": "vmxnet3_xdp_xmit_frame"
        },
        "digest": {
            "function_hash": "189103514053881328176295447121801742054",
            "length": 1928.0
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4678adf94da4a9e9683817b246b58ce15fb81782",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-58099-8c11e412",
        "target": {
            "file": "drivers/net/vmxnet3/vmxnet3_xdp.c"
        },
        "digest": {
            "line_hashes": [
                "154023746051445038782189032457183483897",
                "108790156452847514671703074574513512780",
                "135550734491142269327298463611528500827",
                "100142000425946100751689489520399371498"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f82eb34fb59a8fb96c19f4f492c20eb774140bb5",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-58099-9105d070",
        "target": {
            "file": "drivers/net/vmxnet3/vmxnet3_xdp.c"
        },
        "digest": {
            "line_hashes": [
                "154023746051445038782189032457183483897",
                "108790156452847514671703074574513512780",
                "135550734491142269327298463611528500827",
                "100142000425946100751689489520399371498"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59ba6cdadb9c26b606a365eb9c9b25eb2052622d",
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.59
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.6