CVE-2024-41091
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
29/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tun: add missing verification for short frame<br />
<br />
The cited commit missed to check against the validity of the frame length<br />
in the tun_xdp_one() path, which could cause a corrupted skb to be sent<br />
downstack. Even before the skb is transmitted, the<br />
tun_xdp_one-->eth_type_trans() may access the Ethernet header although it<br />
can be less than ETH_HLEN. Once transmitted, this could either cause<br />
out-of-bound access beyond the actual length, or confuse the underlayer<br />
with incorrect or inconsistent header length in the skb metadata.<br />
<br />
In the alternative path, tun_get_user() already prohibits short frame which<br />
has the length less than Ethernet header size from being transmitted for<br />
IFF_TAP.<br />
<br />
This is to drop any frame shorter than the Ethernet header size just like<br />
how tun_get_user() does.<br />
<br />
CVE: CVE-2024-41091
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.281 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.223 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.164 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.102 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.43 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.10 (including) | 6.10.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3
- https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9
- https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
- https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319
- https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5
- https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
- https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
- https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a
- https://git.kernel.org/stable/c/049584807f1d797fc3078b68035450a9769eb5c3
- https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9
- https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2
- https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319
- https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e545c598a5
- https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb
- https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146
- https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html