{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-49979","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.052Z","datePublished":"2024-10-21T18:02:25.819Z","dateUpdated":"2026-03-25T10:19:13.154Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-03-25T10:19:13.154Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix tcp fraglist segmentation after pull from frag_list\n\nDetect tcp gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For TCP, this\ncauses a NULL ptr deref in __tcpv4_gso_segment_list_csum at\ntcp_hdr(seg->next).\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.\n\nApproach and description based on a patch by Willem de Bruijn."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_offload.c","net/ipv6/tcpv6_offload.c"],"versions":[{"version":"c2ea8cab368b9f25b5937a7f07ab1a66e90b8064","lessThan":"75733986fcb0725c0033cde94764389e287b331e","status":"affected","versionType":"git"},{"version":"1f2b859225eb8d1ec974214ce4a581f8c528ae57","lessThan":"e19201b0c67da5146eaac06fd3d44bd7945c3448","status":"affected","versionType":"git"},{"version":"bee88cd5bd83d40b8aec4d6cb729378f707f6197","lessThan":"3fdd8c83e83fa5e82f1b5585245c51e0355c9f46","status":"affected","versionType":"git"},{"version":"bee88cd5bd83d40b8aec4d6cb729378f707f6197","lessThan":"2d4a83a44428de45bfe9dccb0192a3711d1097e0","status":"affected","versionType":"git"},{"version":"bee88cd5bd83d40b8aec4d6cb729378f707f6197","lessThan":"17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_offload.c","net/ipv6/tcpv6_offload.c"],"versions":[{"version":"6.10","status":"affected"},{"version":"0","lessThan":"6.10","status":"unaffected","versionType":"semver"},{"version":"6.10.14","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11.3","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.10.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.11.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/75733986fcb0725c0033cde94764389e287b331e"},{"url":"https://git.kernel.org/stable/c/e19201b0c67da5146eaac06fd3d44bd7945c3448"},{"url":"https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46"},{"url":"https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0"},{"url":"https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8"}],"title":"net: gso: fix tcp fraglist segmentation after pull from frag_list","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-49979","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:32:45.687666Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:38:44.690Z"}}]}}