HOMEVULNERABILITIESCVE-2024-26733
MEDIUM

CVE-2024-26733

CWE-787Published: April 3, 2024· Updated: Jun 17, 2026

5.5
CVSS v3.1

Official Description

In the Linux kernel, the following vulnerability has been resolved:

arp: Prevent overflow in arp_req_get().

syzkaller reported an overflown write in arp_req_get(). [0]

When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour

entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.

The arp_ha here is struct sockaddr, not struct sockaddr_storage, so

the sa_data buffer is just 14 bytes.

In the splat below, 2 bytes are overflown to the next int field,

arp_flags. We initialise the field just after the memcpy(), so it's

not a problem.

However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),

arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)

in arp_ioctl() before calling arp_req_get().

To avoid the overflow, let's limit the max length of memcpy().

Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible

array in struct sockaddr") just silenced syzkaller.

[0]:

memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)

WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128

Modules linked in:

CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014

RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128

Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6

RSP: 0018:ffffc900050b7998 EFLAGS: 00010286

RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001

RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000

R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010

FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

PKRU: 55555554

Call Trace:

<TASK>

arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261

inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981

sock_do_ioctl+0xdf/0x260 net/socket.c:1204

sock_ioctl+0x3ef/0x650 net/socket.c:1321

vfs_ioctl fs/ioctl.c:51 [inline]

__do_sys_ioctl fs/ioctl.c:870 [inline]

__se_sys_ioctl fs/ioctl.c:856 [inline]

__x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856

do_syscall_x64 arch/x86/entry/common.c:51 [inline]

do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81

entry_SYSCALL_64_after_hwframe+0x64/0xce

RIP: 0033:0x7f172b262b8d

Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010

RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d

RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003

RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000

</TASK>

NVD Source

Technical Analysis

CVE-2024-26733 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

From a weakness classification perspective (CWE-787): Out-of-bounds write vulnerabilities can lead to data corruption, crashes, or arbitrary code execution.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Debian1 product(s)
debian linux
Linux1 product(s)
linux kernel
netapp53 product(s)
a1k firmwarea1ka70 firmwarea70a90 firmwarea90a700s firmwarea700s8300 firmware83008700 firmware8700+41
Source: NVD CPE · 57 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (14)

Quick Facts

CVE IDCVE-2024-26733
CVSS Score5.5 / 10
SeverityMEDIUM
WeaknessCWE-787
CISA KEVNo
Affected3 vendor(s)
PublishedApr 3, 2024

Related CVEs (CWE-787)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2024-26733 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.