{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26633","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.136Z","datePublished":"2024-03-18T10:07:49.468Z","dateUpdated":"2026-05-11T20:01:11.341Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:01:11.341Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\n\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\n\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\n\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/ip6_tunnel.c"],"versions":[{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"135414f300c5db995e2a2f3bf0f455de9d014aee","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"3f15ba3dc14e6ee002ea01b4faddc3d49200377c","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"da23bd709b46168f7dfc36055801011222b076cd","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"4329426cf6b8e22b798db2331c7ef1dd2a9c748d","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"62a1fedeb14c7ac0947ef33fadbabd35ed2400a2","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"687c5d52fe53e602e76826dbd4d7af412747e183","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"ba8d904c274268b18ef3dc11d3ca7b24a96cb087","status":"affected","versionType":"git"},{"version":"fbfa743a9d2a0ffa24251764f10afc13eb21e739","lessThan":"d375b98e0248980681e5e56b712026174d617198","status":"affected","versionType":"git"},{"version":"a6f6bb6bc04a5f88a31f47a6123d3fbf5ee8d694","status":"affected","versionType":"git"},{"version":"72bbf335e7aad09c88c50dbdd238f4faabd12174","status":"affected","versionType":"git"},{"version":"decccc92ee0a978a1c268b5df16824cb6384ed3c","status":"affected","versionType":"git"},{"version":"d3d9b59ab32160e3cc4edcf7e5fa7cecb53a7d25","status":"affected","versionType":"git"},{"version":"d397f7035d2c754781bbe93b07b94d8cd898620c","status":"affected","versionType":"git"},{"version":"41e07a7e01d951cfd4c9a7dac90c921269d89513","status":"affected","versionType":"git"},{"version":"a7fe4e5d06338e1a82b1977eca37400951f99730","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/ip6_tunnel.c"],"versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","status":"unaffected","versionType":"semver"},{"version":"4.19.306","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.268","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.209","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.148","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.75","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.14","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.2","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"4.19.306"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.4.268"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.10.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.15.148"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.1.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.6.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.7.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.106"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12.71"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.49"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee"},{"url":"https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c"},{"url":"https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd"},{"url":"https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d"},{"url":"https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2"},{"url":"https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183"},{"url":"https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087"},{"url":"https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198"}],"title":"ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-noinfo Not enough information"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-03-18T19:01:45.822242Z","id":"CVE-2024-26633","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-05T17:13:27.539Z"}},{"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20241220-0001/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-12-20T13:06:42.426Z"}}]},"dataVersion":"5.2"}