CVE-2024-26882
- Source
- https://cve.org/CVERecord?id=CVE-2024-26882
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26882.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-26882
- Downstream
- Related
- Published
- 2024-04-17T10:27:38.389Z
- Modified
- 2026-05-28T03:53:05.352915917Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: iptunnel: make sure to pull inner header in iptunnel_rcv()
Apply the same fix than ones found in :
8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in _ip6tnlrcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneverx()")
We have to save skb->networkheader in a temporary variable in order to be able to recompute the networkheader pointer after a pskbinetmay_pull() call.
pskbinetmay_pull() makes sure the needed headers are in skb->head.
syzbot reported: BUG: KMSAN: uninit-value in __INETECNdecapsulate include/net/inetecn.h:253 [inline] BUG: KMSAN: uninit-value in INETECNdecapsulate include/net/inetecn.h:275 [inline] BUG: KMSAN: uninit-value in IPECNdecapsulate include/net/inetecn.h:302 [inline] BUG: KMSAN: uninit-value in iptunnelrcv+0xed9/0x2ed0 net/ipv4/iptunnel.c:409 __INETECNdecapsulate include/net/inetecn.h:253 [inline] INETECNdecapsulate include/net/inetecn.h:275 [inline] IPECNdecapsulate include/net/inetecn.h:302 [inline] iptunnelrcv+0xed9/0x2ed0 net/ipv4/iptunnel.c:409 __ipgrercv+0x9bc/0xbc0 net/ipv4/ipgre.c:389 ipgre_rcv net/ipv4/ipgre.c:411 [inline] grercv+0x423/0x19f0 net/ipv4/ipgre.c:447 grercv+0x2a4/0x390 net/ipv4/gredemux.c:163 ipprotocoldeliverrcu+0x264/0x1300 net/ipv4/ipinput.c:205 iplocaldeliverfinish+0x2b8/0x440 net/ipv4/ipinput.c:233 NFHOOK include/linux/netfilter.h:314 [inline] iplocaldeliver+0x21f/0x490 net/ipv4/ipinput.c:254 dstinput include/net/dst.h:461 [inline] iprcvfinish net/ipv4/ipinput.c:449 [inline] NFHOOK include/linux/netfilter.h:314 [inline] iprcv+0x46f/0x760 net/ipv4/ipinput.c:569 __netifreceiveskbonecore net/core/dev.c:5534 [inline] __netifreceiveskb+0x1a6/0x5a0 net/core/dev.c:5648 netifreceiveskbinternal net/core/dev.c:5734 [inline] netifreceiveskb+0x58/0x660 net/core/dev.c:5793 tunrxbatched+0x3ee/0x980 drivers/net/tun.c:1556 tungetuser+0x53b9/0x66e0 drivers/net/tun.c:2009 tunchrwriteiter+0x3af/0x5d0 drivers/net/tun.c:2055 callwriteiter include/linux/fs.h:2087 [inline] newsyncwrite fs/readwrite.c:497 [inline] vfswrite+0xb6b/0x1520 fs/readwrite.c:590 ksyswrite+0x20f/0x4c0 fs/read_write.c:643 __dosyswrite fs/read_write.c:655 [inline] __sesyswrite fs/read_write.c:652 [inline] _x64syswrite+0x93/0xd0 fs/readwrite.c:652 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcf/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x63/0x6b
Uninit was created at: __allocpages+0x9a6/0xe00 mm/pagealloc.c:4590 allocpagesmpol+0x62b/0x9d0 mm/mempolicy.c:2133 allocpages+0x1be/0x1e0 mm/mempolicy.c:2204 skbpagefragrefill+0x2bf/0x7c0 net/core/sock.c:2909 tunbuildskb drivers/net/tun.c:1686 [inline] tungetuser+0xe0a/0x66e0 drivers/net/tun.c:1826 tunchrwriteiter+0x3af/0x5d0 drivers/net/tun.c:2055 callwriteiter include/linux/fs.h:2087 [inline] newsyncwrite fs/readwrite.c:497 [inline] vfswrite+0xb6b/0x1520 fs/readwrite.c:590 ksyswrite+0x20f/0x4c0 fs/readwrite.c:643 __dosyswrite fs/read_write.c:655 [inline] __sesyswrite fs/read_write.c:652 [inline] _x64syswrite+0x93/0xd0 fs/readwrite.c:652 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcf/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x63/0x6b
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26882.json", "cna_assigner": "Linux" }- References
-
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://git.kernel.org/stable/c/5c03387021cfa3336b97e0dcba38029917a8af2a
- https://git.kernel.org/stable/c/60044ab84836359534bd7153b92e9c1584140e4a
- https://git.kernel.org/stable/c/77fd5294ea09b21f6772ac954a121b87323cec80
- https://git.kernel.org/stable/c/b0ec2abf98267f14d032102551581c833b0659d3
- https://git.kernel.org/stable/c/c4c857723b37c20651300b3de4ff25059848b4b0
- https://git.kernel.org/stable/c/ca914f1cdee8a85799942c9b0ce5015bbd6844e1
- https://git.kernel.org/stable/c/ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b
- https://git.kernel.org/stable/c/f6723d8dbfdc10c784a56748f86a9a3cd410dbd5
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26882.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-26882
- https://security.netapp.com/advisory/ntap-20241220-0002/
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc54419321455631079c7d6e60bc732dd0c5914c5Fixedec6bb01e02cbd47781dd90775b631a1dc4bd9d2bFixed77fd5294ea09b21f6772ac954a121b87323cec80Fixed5c03387021cfa3336b97e0dcba38029917a8af2aFixed60044ab84836359534bd7153b92e9c1584140e4aFixedc4c857723b37c20651300b3de4ff25059848b4b0Fixedf6723d8dbfdc10c784a56748f86a9a3cd410dbd5Fixedca914f1cdee8a85799942c9b0ce5015bbd6844e1Fixedb0ec2abf98267f14d032102551581c833b0659d3
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced3.10.0Fixed5.4.273
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.214
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.153
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.83
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.23
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.7.11
- Type
- ECOSYSTEM
- Events
-
Introduced6.8.0Fixed6.8.2