CVE-2024-26752

MEDIUM

Linux Kernel Buffer Overflow via Incorrect Transport Header Length Calculation

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.

References (10)

Core 10
Core References

Scores

CVSS v3 5.5
EPSS 0.0025
EPSS Percentile 16.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-131
Status published
Products (39)
debian/debian_linux 10.0
linux/Kernel < 4.19.308linux
linux/Kernel 4.20.0 - 5.4.270linux
linux/Kernel 5.11.0 - 5.15.150linux
linux/Kernel 5.16.0 - 6.1.80linux
linux/Kernel 5.5.0 - 5.10.211linux
linux/Kernel 6.2.0 - 6.6.19linux
linux/Kernel 6.6.0 - 6.7.7linux
Linux/Linux < 6.6
Linux/Linux 1fc793d68d50dee4782ef2e808913d5dd880bcc6 - c1d3a84a67db910ce28a871273c992c3d7f9efb5
... and 29 more
Published Apr 03, 2024
Tracked Since Feb 18, 2026