CVE-2024-26752 (GCVE-0-2024-26752)

Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2025-05-04 12:54
VLAI?
Title
l2tp: pass correct message length to ip6_append_data
Summary
In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 559d697c5d072593d22b3e0bd8b8081108aeaf59 , < 4c3ce64bc9d36ca9164dd6c77ff144c121011aae (git)
Affected: 1fc793d68d50dee4782ef2e808913d5dd880bcc6 , < c1d3a84a67db910ce28a871273c992c3d7f9efb5 (git)
Affected: 96b2e1090397217839fcd6c9b6d8f5d439e705ed , < dcb4d14268595065c85dc5528056713928e17243 (git)
Affected: cd1189956393bf850b2e275e37411855d3bd86bb , < 0da15a70395182ee8cb75716baf00dddc0bea38d (git)
Affected: f6a7182179c0ed788e3755ee2ed18c888ddcc33f , < 13cd1daeea848614e585b2c6ecc11ca9c8ab2500 (git)
Affected: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 , < 804bd8650a3a2bf3432375f8c97d5049d845ce56 (git)
Affected: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 , < 83340c66b498e49353530e41542500fc8a4782d6 (git)
Affected: 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 , < 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 (git)
Affected: 7626b9fed53092aa2147978070e610ecb61af844 (git)
Affected: fe80658c08e3001c80c5533cd41abfbb0e0e28fd (git)
Create a notification for this product.
    Linux Linux Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 4.19.308 , ≤ 4.19.* (semver)
Unaffected: 5.4.270 , ≤ 5.4.* (semver)
Unaffected: 5.10.211 , ≤ 5.10.* (semver)
Unaffected: 5.15.150 , ≤ 5.15.* (semver)
Unaffected: 6.1.80 , ≤ 6.1.* (semver)
Unaffected: 6.6.19 , ≤ 6.6.* (semver)
Unaffected: 6.7.7 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26752",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-03T18:05:57.024676Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:48:58.719Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.330Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/l2tp/l2tp_ip6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c3ce64bc9d36ca9164dd6c77ff144c121011aae",
              "status": "affected",
              "version": "559d697c5d072593d22b3e0bd8b8081108aeaf59",
              "versionType": "git"
            },
            {
              "lessThan": "c1d3a84a67db910ce28a871273c992c3d7f9efb5",
              "status": "affected",
              "version": "1fc793d68d50dee4782ef2e808913d5dd880bcc6",
              "versionType": "git"
            },
            {
              "lessThan": "dcb4d14268595065c85dc5528056713928e17243",
              "status": "affected",
              "version": "96b2e1090397217839fcd6c9b6d8f5d439e705ed",
              "versionType": "git"
            },
            {
              "lessThan": "0da15a70395182ee8cb75716baf00dddc0bea38d",
              "status": "affected",
              "version": "cd1189956393bf850b2e275e37411855d3bd86bb",
              "versionType": "git"
            },
            {
              "lessThan": "13cd1daeea848614e585b2c6ecc11ca9c8ab2500",
              "status": "affected",
              "version": "f6a7182179c0ed788e3755ee2ed18c888ddcc33f",
              "versionType": "git"
            },
            {
              "lessThan": "804bd8650a3a2bf3432375f8c97d5049d845ce56",
              "status": "affected",
              "version": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070",
              "versionType": "git"
            },
            {
              "lessThan": "83340c66b498e49353530e41542500fc8a4782d6",
              "status": "affected",
              "version": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070",
              "versionType": "git"
            },
            {
              "lessThan": "359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79",
              "status": "affected",
              "version": "9d4c75800f61e5d75c1659ba201b6c0c7ead3070",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7626b9fed53092aa2147978070e610ecb61af844",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fe80658c08e3001c80c5533cd41abfbb0e0e28fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/l2tp/l2tp_ip6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.308",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.211",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.308",
                  "versionStartIncluding": "4.19.296",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.270",
                  "versionStartIncluding": "5.4.258",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.211",
                  "versionStartIncluding": "5.10.198",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.150",
                  "versionStartIncluding": "5.15.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.80",
                  "versionStartIncluding": "6.1.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.19",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.7",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.327",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n     ulen = len + skb_queue_empty(\u0026sk-\u003esk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:54:40.861Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243"
        },
        {
          "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d"
        },
        {
          "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500"
        },
        {
          "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56"
        },
        {
          "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79"
        }
      ],
      "title": "l2tp: pass correct message length to ip6_append_data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26752",
    "datePublished": "2024-04-03T17:00:37.340Z",
    "dateReserved": "2024-02-19T14:20:24.169Z",
    "dateUpdated": "2025-05-04T12:54:40.861Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nl2tp: pass correct message length to ip6_append_data\\n\\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\\ntwice when splicing more data into an already partially-occupied skbuff.\\n\\nTo manage this, we check whether the skbuff contains data using\\nskb_queue_empty when deciding how much data to append using\\nip6_append_data.\\n\\nHowever, the code which performed the calculation was incorrect:\\n\\n     ulen = len + skb_queue_empty(\u0026sk-\u003esk_write_queue) ? transhdrlen : 0;\\n\\n...due to C operator precedence, this ends up setting ulen to\\ntranshdrlen for messages with a non-zero length, which results in\\ncorrupted packets on the wire.\\n\\nAdd parentheses to correct the calculation in line with the original\\nintent.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: l2tp: pasa la longitud correcta del mensaje a ip6_append_data l2tp_ip6_sendmsg necesita evitar tener en cuenta el encabezado de transporte dos veces al unir m\\u00e1s datos en un skbuff ya parcialmente ocupado. Para gestionar esto, verificamos si skbuff contiene datos usando skb_queue_empty al decidir cu\\u00e1ntos datos agregar usando ip6_append_data. Sin embargo, el c\\u00f3digo que realiz\\u00f3 el c\\u00e1lculo era incorrecto: ulen = len + skb_queue_empty(\u0026amp;sk-\u0026gt;sk_write_queue)? transhdrlen : 0; ...debido a la precedencia del operador C, esto termina configurando ulen en transhdrlen para mensajes con una longitud distinta de cero, lo que resulta en paquetes corruptos en el cable. Agregue par\\u00e9ntesis para corregir el c\\u00e1lculo de acuerdo con la intenci\\u00f3n original.\"}]",
      "id": "CVE-2024-26752",
      "lastModified": "2024-11-21T09:02:59.473",
      "published": "2024-04-03T17:15:51.910",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26752\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-03T17:15:51.910\",\"lastModified\":\"2025-03-17T16:57:11.283\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nl2tp: pass correct message length to ip6_append_data\\n\\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\\ntwice when splicing more data into an already partially-occupied skbuff.\\n\\nTo manage this, we check whether the skbuff contains data using\\nskb_queue_empty when deciding how much data to append using\\nip6_append_data.\\n\\nHowever, the code which performed the calculation was incorrect:\\n\\n     ulen = len + skb_queue_empty(\u0026sk-\u003esk_write_queue) ? transhdrlen : 0;\\n\\n...due to C operator precedence, this ends up setting ulen to\\ntranshdrlen for messages with a non-zero length, which results in\\ncorrupted packets on the wire.\\n\\nAdd parentheses to correct the calculation in line with the original\\nintent.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: l2tp: pasa la longitud correcta del mensaje a ip6_append_data l2tp_ip6_sendmsg necesita evitar tener en cuenta el encabezado de transporte dos veces al unir m\u00e1s datos en un skbuff ya parcialmente ocupado. Para gestionar esto, verificamos si skbuff contiene datos usando skb_queue_empty al decidir cu\u00e1ntos datos agregar usando ip6_append_data. Sin embargo, el c\u00f3digo que realiz\u00f3 el c\u00e1lculo era incorrecto: ulen = len + skb_queue_empty(\u0026amp;sk-\u0026gt;sk_write_queue)? transhdrlen : 0; ...debido a la precedencia del operador C, esto termina configurando ulen en transhdrlen para mensajes con una longitud distinta de cero, lo que resulta en paquetes corruptos en el cable. Agregue par\u00e9ntesis para corregir el c\u00e1lculo de acuerdo con la intenci\u00f3n original.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-131\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.296\",\"versionEndExcluding\":\"4.19.308\",\"matchCriteriaId\":\"A9FA566F-70F7-425E-992C-8E288E08DC71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.258\",\"versionEndExcluding\":\"5.4.270\",\"matchCriteriaId\":\"DB22468A-4B52-4E91-B35B-C94CAD2C78D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.198\",\"versionEndExcluding\":\"5.10.211\",\"matchCriteriaId\":\"86A99ADE-C508-4FC9-962C-012F03BBCEC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.135\",\"versionEndExcluding\":\"5.15.150\",\"matchCriteriaId\":\"097E59FD-F12D-4416-B356-2651F9C7AC68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.57\",\"versionEndExcluding\":\"6.1.80\",\"matchCriteriaId\":\"894FCF87-4C78-4DCF-9C4A-D8918A518E66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6\",\"versionEndExcluding\":\"6.6.19\",\"matchCriteriaId\":\"67629862-377E-46FA-A747-4A0BC6C42DD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.7\",\"matchCriteriaId\":\"575EE16B-67F2-4B5B-B5F8-1877715C898B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:4.14.327:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C403DCDD-EFA8-403C-9134-6C69953B8199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.5.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0044DD2-D5B3-491C-B153-351DE4C1E042\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9F4EA73-0894-400F-A490-3A397AB7A517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"056BD938-0A27-4569-B391-30578B309EE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F02056A5-B362-4370-9FF8-6F0BD384D520\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"62075ACE-B2A0-4B16-829D-B3DA5AE5CC41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"A780F817-2A77-4130-A9B7-5C25606314E3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:13.330Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26752\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-03T18:05:57.024676Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:21.718Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"l2tp: pass correct message length to ip6_append_data\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"559d697c5d072593d22b3e0bd8b8081108aeaf59\", \"lessThan\": \"4c3ce64bc9d36ca9164dd6c77ff144c121011aae\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1fc793d68d50dee4782ef2e808913d5dd880bcc6\", \"lessThan\": \"c1d3a84a67db910ce28a871273c992c3d7f9efb5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"96b2e1090397217839fcd6c9b6d8f5d439e705ed\", \"lessThan\": \"dcb4d14268595065c85dc5528056713928e17243\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cd1189956393bf850b2e275e37411855d3bd86bb\", \"lessThan\": \"0da15a70395182ee8cb75716baf00dddc0bea38d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f6a7182179c0ed788e3755ee2ed18c888ddcc33f\", \"lessThan\": \"13cd1daeea848614e585b2c6ecc11ca9c8ab2500\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9d4c75800f61e5d75c1659ba201b6c0c7ead3070\", \"lessThan\": \"804bd8650a3a2bf3432375f8c97d5049d845ce56\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9d4c75800f61e5d75c1659ba201b6c0c7ead3070\", \"lessThan\": \"83340c66b498e49353530e41542500fc8a4782d6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9d4c75800f61e5d75c1659ba201b6c0c7ead3070\", \"lessThan\": \"359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7626b9fed53092aa2147978070e610ecb61af844\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fe80658c08e3001c80c5533cd41abfbb0e0e28fd\", \"versionType\": \"git\"}], \"programFiles\": [\"net/l2tp/l2tp_ip6.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.6\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.308\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.270\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.211\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.150\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.80\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/l2tp/l2tp_ip6.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae\"}, {\"url\": \"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5\"}, {\"url\": \"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243\"}, {\"url\": \"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d\"}, {\"url\": \"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500\"}, {\"url\": \"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56\"}, {\"url\": \"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6\"}, {\"url\": \"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nl2tp: pass correct message length to ip6_append_data\\n\\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\\ntwice when splicing more data into an already partially-occupied skbuff.\\n\\nTo manage this, we check whether the skbuff contains data using\\nskb_queue_empty when deciding how much data to append using\\nip6_append_data.\\n\\nHowever, the code which performed the calculation was incorrect:\\n\\n     ulen = len + skb_queue_empty(\u0026sk-\u003esk_write_queue) ? transhdrlen : 0;\\n\\n...due to C operator precedence, this ends up setting ulen to\\ntranshdrlen for messages with a non-zero length, which results in\\ncorrupted packets on the wire.\\n\\nAdd parentheses to correct the calculation in line with the original\\nintent.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.308\", \"versionStartIncluding\": \"4.19.296\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.270\", \"versionStartIncluding\": \"5.4.258\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.211\", \"versionStartIncluding\": \"5.10.198\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.150\", \"versionStartIncluding\": \"5.15.135\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.80\", \"versionStartIncluding\": \"6.1.57\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.19\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.7\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.14.327\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.5.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:54:40.861Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26752\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:54:40.861Z\", \"dateReserved\": \"2024-02-19T14:20:24.169Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-03T17:00:37.340Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.