{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26752","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.169Z","datePublished":"2024-04-03T17:00:37.340Z","dateUpdated":"2026-05-11T20:03:29.180Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:03:29.180Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/l2tp/l2tp_ip6.c"],"versions":[{"version":"559d697c5d072593d22b3e0bd8b8081108aeaf59","lessThan":"4c3ce64bc9d36ca9164dd6c77ff144c121011aae","status":"affected","versionType":"git"},{"version":"1fc793d68d50dee4782ef2e808913d5dd880bcc6","lessThan":"c1d3a84a67db910ce28a871273c992c3d7f9efb5","status":"affected","versionType":"git"},{"version":"96b2e1090397217839fcd6c9b6d8f5d439e705ed","lessThan":"dcb4d14268595065c85dc5528056713928e17243","status":"affected","versionType":"git"},{"version":"cd1189956393bf850b2e275e37411855d3bd86bb","lessThan":"0da15a70395182ee8cb75716baf00dddc0bea38d","status":"affected","versionType":"git"},{"version":"f6a7182179c0ed788e3755ee2ed18c888ddcc33f","lessThan":"13cd1daeea848614e585b2c6ecc11ca9c8ab2500","status":"affected","versionType":"git"},{"version":"9d4c75800f61e5d75c1659ba201b6c0c7ead3070","lessThan":"804bd8650a3a2bf3432375f8c97d5049d845ce56","status":"affected","versionType":"git"},{"version":"9d4c75800f61e5d75c1659ba201b6c0c7ead3070","lessThan":"83340c66b498e49353530e41542500fc8a4782d6","status":"affected","versionType":"git"},{"version":"9d4c75800f61e5d75c1659ba201b6c0c7ead3070","lessThan":"359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79","status":"affected","versionType":"git"},{"version":"7626b9fed53092aa2147978070e610ecb61af844","status":"affected","versionType":"git"},{"version":"fe80658c08e3001c80c5533cd41abfbb0e0e28fd","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/l2tp/l2tp_ip6.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"4.19.308","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.270","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.211","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.150","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.80","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.19","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.7","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.296","versionEndExcluding":"4.19.308"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.258","versionEndExcluding":"5.4.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.198","versionEndExcluding":"5.10.211"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.135","versionEndExcluding":"5.15.150"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.57","versionEndExcluding":"6.1.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.7.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.327"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5.7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae"},{"url":"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5"},{"url":"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243"},{"url":"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d"},{"url":"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500"},{"url":"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56"},{"url":"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6"},{"url":"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79"}],"title":"l2tp: pass correct message length to ip6_append_data","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26752","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-03T18:05:57.024676Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:48:58.719Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:13.330Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","tags":["x_transferred"]}]}]},"dataVersion":"5.2"}