{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-58099","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-03-06T15:52:09.189Z","datePublished":"2025-04-29T11:45:30.997Z","dateUpdated":"2026-05-11T21:03:16.864Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:03:16.864Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame\n\nAndrew and Nikolay reported connectivity issues with Cilium's service\nload-balancing in case of vmxnet3.\n\nIf a BPF program for native XDP adds an encapsulation header such as\nIPIP and transmits the packet out the same interface, then in case\nof vmxnet3 a corrupted packet is being sent and subsequently dropped\non the path.\n\nvmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp()\nthrough vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:\n\n  page = virt_to_page(xdpf->data);\n  tbi->dma_addr = page_pool_get_dma_addr(page) +\n                  VMXNET3_XDP_HEADROOM;\n  dma_sync_single_for_device(&adapter->pdev->dev,\n                             tbi->dma_addr, buf_size,\n                             DMA_TO_DEVICE);\n\nThe above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP\nBPF program could have moved xdp->data. While the passed buf_size is\ncorrect (xdpf->len), the dma_addr needs to have a dynamic offset which\ncan be calculated as xdpf->data - (void *)xdpf, that is, xdp->data -\nxdp->data_hard_start."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/vmxnet3/vmxnet3_xdp.c"],"versions":[{"version":"54f00cce11786742bd11e5e68c3bf85e6dc048c9","lessThan":"59ba6cdadb9c26b606a365eb9c9b25eb2052622d","status":"affected","versionType":"git"},{"version":"54f00cce11786742bd11e5e68c3bf85e6dc048c9","lessThan":"f82eb34fb59a8fb96c19f4f492c20eb774140bb5","status":"affected","versionType":"git"},{"version":"54f00cce11786742bd11e5e68c3bf85e6dc048c9","lessThan":"4678adf94da4a9e9683817b246b58ce15fb81782","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/vmxnet3/vmxnet3_xdp.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.6.59","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.11.6","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.11.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/59ba6cdadb9c26b606a365eb9c9b25eb2052622d"},{"url":"https://git.kernel.org/stable/c/f82eb34fb59a8fb96c19f4f492c20eb774140bb5"},{"url":"https://git.kernel.org/stable/c/4678adf94da4a9e9683817b246b58ce15fb81782"}],"title":"vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-787","lang":"en","description":"CWE-787 Out-of-bounds Write"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T16:12:22.218510Z","id":"CVE-2024-58099","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T16:12:26.226Z"}}]}}