HOMEVULNERABILITIESCVE-2024-26633
MEDIUM

CVE-2024-26633

NVD-CWE-noinfoPublished: March 18, 2024· Updated: Jun 17, 2026

5.5
CVSS v3.1

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.

Reading frag_off can only be done if we pulled enough bytes

to skb->head. Currently we might access garbage.

[1]

BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0

ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0

ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]

ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432

__netdev_start_xmit include/linux/netdevice.h:4940 [inline]

netdev_start_xmit include/linux/netdevice.h:4954 [inline]

xmit_one net/core/dev.c:3548 [inline]

dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564

__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349

dev_queue_xmit include/linux/netdevice.h:3134 [inline]

neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592

neigh_output include/net/neighbour.h:542 [inline]

ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137

ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222

NF_HOOK_COND include/linux/netfilter.h:303 [inline]

ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243

dst_output include/net/dst.h:451 [inline]

ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155

ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]

ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972

rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582

rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920

inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847

sock_sendmsg_nosec net/socket.c:730 [inline]

__sock_sendmsg net/socket.c:745 [inline]

____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584

___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638

__sys_sendmsg net/socket.c:2667 [inline]

__do_sys_sendmsg net/socket.c:2676 [inline]

__se_sys_sendmsg net/socket.c:2674 [inline]

__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674

do_syscall_x64 arch/x86/entry/common.c:52 [inline]

do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83

entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:

slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768

slab_alloc_node mm/slub.c:3478 [inline]

__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517

__do_kmalloc_node mm/slab_common.c:1006 [inline]

__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027

kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582

pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098

__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655

pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]

pskb_may_pull include/linux/skbuff.h:2681 [inline]

ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408

ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]

ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432

__netdev_start_xmit include/linux/netdevice.h:4940 [inline]

netdev_start_xmit include/linux/netdevice.h:4954 [inline]

xmit_one net/core/dev.c:3548 [inline]

dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564

__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349

dev_queue_xmit include/linux/netdevice.h:3134 [inline]

neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592

neigh_output include/net/neighbour.h:542 [inline]

ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137

ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222

NF_HOOK_COND include/linux/netfilter.h:303 [inline]

ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243

dst_output include/net/dst.h:451 [inline]

ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155

ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]

ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972

rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582

rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920

inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847

sock_sendmsg_nosec net/socket.c:730 [inline]

__sock_sendmsg net/socket.c:745 [inline]

____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584

___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638

__sys_sendmsg net/socket.c:2667 [inline]

__do_sys_sendms

---truncated---

NVD Source

Technical Analysis

CVE-2024-26633 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Debian1 product(s)
debian linux
Linux1 product(s)
linux kernel
netapp34 product(s)
ontap select deploy administration utilityontap toolsa1k firmwarea1ka70 firmwarea70a90 firmwarea90a800 firmwarea800c800 firmwarec800+22
Source: NVD CPE · 36 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (19)

Quick Facts

CVE IDCVE-2024-26633
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
Affected3 vendor(s)
PublishedMar 18, 2024

Related CVEs (NVD-CWE-noinfo)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2024-26633 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.