CVE-2024-35888: erspan: make sure erspan_base_hdr is present in skb->head

Published May 19, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

erspan: make sure erspanbasehdr is present in skb->head

syzbot reported a problem in ip6erspanrcv() [1]

Issue is that ip6erspanrcv() (and erspanrcv()) no longer make sure erspanbasehdr is present in skb linear part (skb->head) before getting @ver field from it.

Add the missing pskbmaypull() calls.

v2: Reload iph pointer in erspanrcv() after pskbmaypull() because skb->head might have changed.

[1]

BUG: KMSAN: uninit-value in pskbmaypullreason include/linux/skbuff.h:2742 [inline] BUG: KMSAN: uninit-value in pskbmaypull include/linux/skbuff.h:2756 [inline] BUG: KMSAN: uninit-value in ip6erspanrcv net/ipv6/ip6gre.c:541 [inline] BUG: KMSAN: uninit-value in grercv+0x11f8/0x1930 net/ipv6/ip6gre.c:610 pskbmaypullreason include/linux/skbuff.h:2742 [inline] pskbmaypull include/linux/skbuff.h:2756 [inline] ip6erspanrcv net/ipv6/ip6gre.c:541 [inline] grercv+0x11f8/0x1930 net/ipv6/ip6gre.c:610 ip6protocoldeliverrcu+0x1d4c/0x2ca0 net/ipv6/ip6input.c:438 ip6inputfinish net/ipv6/ip6input.c:483 [inline] NFHOOK include/linux/netfilter.h:314 [inline] ip6input+0x15d/0x430 net/ipv6/ip6input.c:492 ip6mcinput+0xa7e/0xc80 net/ipv6/ip6input.c:586 dstinput include/net/dst.h:460 [inline] ip6rcvfinish+0x955/0x970 net/ipv6/ip6input.c:79 NFHOOK include/linux/netfilter.h:314 [inline] ipv6rcv+0xde/0x390 net/ipv6/ip6input.c:310 netifreceiveskbonecore net/core/dev.c:5538 [inline] netifreceiveskb+0x1da/0xa00 net/core/dev.c:5652 netifreceiveskbinternal net/core/dev.c:5738 [inline] netifreceiveskb+0x58/0x660 net/core/dev.c:5798 tunrxbatched+0x3ee/0x980 drivers/net/tun.c:1549 tungetuser+0x5566/0x69e0 drivers/net/tun.c:2002 tunchrwriteiter+0x3af/0x5d0 drivers/net/tun.c:2048 callwriteiter include/linux/fs.h:2108 [inline] newsyncwrite fs/readwrite.c:497 [inline] vfswrite+0xb63/0x1520 fs/readwrite.c:590 ksyswrite+0x20f/0x4c0 fs/readwrite.c:643 dosyswrite fs/readwrite.c:655 [inline] sesyswrite fs/readwrite.c:652 [inline] x64syswrite+0x93/0xe0 fs/readwrite.c:652 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75

Uninit was created at: slabpostallochook mm/slub.c:3804 [inline] slaballocnode mm/slub.c:3845 [inline] kmemcacheallocnode+0x613/0xc50 mm/slub.c:3888 kmallocreserve+0x13d/0x4a0 net/core/skbuff.c:577 allocskb+0x35b/0x7a0 net/core/skbuff.c:668 allocskb include/linux/skbuff.h:1318 [inline] allocskbwithfrags+0xc8/0xbf0 net/core/skbuff.c:6504 sockallocsendpskb+0xa81/0xbf0 net/core/sock.c:2795 tunallocskb drivers/net/tun.c:1525 [inline] tungetuser+0x209a/0x69e0 drivers/net/tun.c:1846 tunchrwriteiter+0x3af/0x5d0 drivers/net/tun.c:2048 callwriteiter include/linux/fs.h:2108 [inline] newsyncwrite fs/readwrite.c:497 [inline] vfswrite+0xb63/0x1520 fs/readwrite.c:590 ksyswrite+0x20f/0x4c0 fs/readwrite.c:643 dosyswrite fs/readwrite.c:655 [inline] sesyswrite fs/readwrite.c:652 [inline] x64syswrite+0x93/0xe0 fs/readwrite.c:652 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75

CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0

Other sources

In the Linux kernel, the following vulnerability has been resolved:

erspan: make sure erspanbasehdr is present in skb->head

The Linux kernel CVE team has assigned CVE-2024-35888 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051947-CVE-2024-35888-1e04@gregkh/T

Red Hat

Affected Software

23 affected componentsFixes available
redhat/kernel<4.19.312
4.19.312
redhat/kernel<5.4.274
5.4.274
redhat/kernel<5.10.215
5.10.215
redhat/kernel<5.15.154
5.15.154
redhat/kernel<6.1.85
6.1.85
redhat/kernel<6.6.26
6.6.26
redhat/kernel<6.8.5
6.8.5
redhat/kernel<6.9
6.9
Linux Linux kernel>=4.19.20<4.19.312
Linux Linux kernel>=4.20.7<5.4.274
Linux Linux kernel>=5.5<5.10.215
Linux Linux kernel>=5.11<5.15.154
Linux Linux kernel>=5.16<6.1.85
Linux Linux kernel>=6.2<6.6.26
Linux Linux kernel>=6.7<6.8.5
Linux Linux kernel=6.9-rc1
Linux Linux kernel=6.9-rc2
Debian Debian Linux=10.0
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1

Remediation

Patch Available

https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac

Patch Available

https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446

Patch Available

https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0

Patch Available

https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d

Patch Available

https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d

Patch Available

https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85

Patch Available

https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5

Patch Available

https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7

Event History

May 19, 2024
CVE Published
via MITRE·08:34 AM
Data Sourced
via MITRE·08:34 AM
Description
Data Sourced
via NVD·09:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
May 20, 2024
Data Sourced
via Red Hat·11:54 AM
DescriptionSeverityAffected Software
Jul 15, 2024
Data Sourced
via Launchpad·07:46 PM
Description
Apr 27, 2025
Data Sourced
via Ubuntu·12:21 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-35888?

CVE-2024-35888 has a moderate severity level attributed to its exploitation potential in the Linux kernel.

2

How do I fix CVE-2024-35888?

To fix CVE-2024-35888, update your Linux kernel to the latest patched version available for your distribution.

3

Which versions of the Linux kernel are affected by CVE-2024-35888?

CVE-2024-35888 affects various versions of the Linux kernel up to 6.9 and including specific previous versions listed.

4

Is there any workaround for CVE-2024-35888?

There is no official workaround for CVE-2024-35888, so users should prioritize applying available patches.

5

What are the potential consequences of CVE-2024-35888 if exploited?

Exploitation of CVE-2024-35888 could lead to unsafe network packet handling, potentially compromising system integrity.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203