Vulnerabilities > CVE-2024-26752 - Incorrect Calculation of Buffer Size vulnerability in multiple products

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

linux

debian

CWE-131

NVD

Published: 2024-04-03

Updated: 2025-03-17

Summary

In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.

Vulnerable Configurations

Part	Description	Count
OS	Linux Linux Linux Kernel 6.8 Linux Linux Kernel 6.7 Linux Linux Kernel 6.7.1 Linux Linux Kernel 6.7.2 Linux Linux Kernel 6.7.3 Linux Linux Kernel 6.7.4 Linux Linux Kernel 6.7.5 Linux Linux Kernel 6.7.6 Linux Linux Kernel 4.19.296 Linux Linux Kernel 4.19.297 Linux Linux Kernel 4.19.298 Linux Linux Kernel 4.19.299 Linux Linux Kernel 4.19.300 Linux Linux Kernel 4.19.301 Linux Linux Kernel 4.19.302 Linux Linux Kernel 4.19.303 Linux Linux Kernel 4.19.304 Linux Linux Kernel 4.19.305 Linux Linux Kernel 4.19.306 Linux Linux Kernel 4.19.307 Linux Linux Kernel 5.4.258 Linux Linux Kernel 5.4.259 Linux Linux Kernel 5.4.260 Linux Linux Kernel 5.4.261 Linux Linux Kernel 5.4.262 Linux Linux Kernel 5.4.263 Linux Linux Kernel 5.4.264 Linux Linux Kernel 5.4.265 Linux Linux Kernel 5.4.266 Linux Linux Kernel 5.4.267 Linux Linux Kernel 5.4.268 Linux Linux Kernel 5.4.269 Linux Linux Kernel 5.10.198 Linux Linux Kernel 5.10.199 Linux Linux Kernel 5.10.200 Linux Linux Kernel 5.10.201 Linux Linux Kernel 5.10.202 Linux Linux Kernel 5.10.203 Linux Linux Kernel 5.10.204 Linux Linux Kernel 5.10.205 Linux Linux Kernel 5.10.206 Linux Linux Kernel 5.10.207 Linux Linux Kernel 5.10.208 Linux Linux Kernel 5.10.209 Linux Linux Kernel 5.10.210 Linux Linux Kernel 5.15.135 Linux Linux Kernel 5.15.136 Linux Linux Kernel 5.15.137 Linux Linux Kernel 5.15.138 Linux Linux Kernel 5.15.139 Linux Linux Kernel 5.15.140 Linux Linux Kernel 5.15.141 Linux Linux Kernel 5.15.142 Linux Linux Kernel 5.15.143 Linux Linux Kernel 5.15.144 Linux Linux Kernel 5.15.145 Linux Linux Kernel 5.15.146 Linux Linux Kernel 5.15.147 Linux Linux Kernel 5.15.148 Linux Linux Kernel 5.15.149 Linux Linux Kernel 6.1.57 Linux Linux Kernel 6.1.58 Linux Linux Kernel 6.1.59 Linux Linux Kernel 6.1.60 Linux Linux Kernel 6.1.61 Linux Linux Kernel 6.1.62 Linux Linux Kernel 6.1.63 Linux Linux Kernel 6.1.64 Linux Linux Kernel 6.1.65 Linux Linux Kernel 6.1.66 Linux Linux Kernel 6.1.67 Linux Linux Kernel 6.1.68 Linux Linux Kernel 6.1.69 Linux Linux Kernel 6.1.70 Linux Linux Kernel 6.1.71 Linux Linux Kernel 6.1.72 Linux Linux Kernel 6.1.73 Linux Linux Kernel 6.1.74 Linux Linux Kernel 6.1.75 Linux Linux Kernel 6.1.76 Linux Linux Kernel 6.1.77 Linux Linux Kernel 6.1.78 Linux Linux Kernel 6.1.79 Linux Linux Kernel 6.6 Linux Linux Kernel 6.6.1 Linux Linux Kernel 6.6.2 Linux Linux Kernel 6.6.3 Linux Linux Kernel 6.6.4 Linux Linux Kernel 6.6.5 Linux Linux Kernel 6.6.6 Linux Linux Kernel 6.6.7 Linux Linux Kernel 6.6.8 Linux Linux Kernel 6.6.9 Linux Linux Kernel 6.6.10 Linux Linux Kernel 6.6.11 Linux Linux Kernel 6.6.12 Linux Linux Kernel 6.6.13 Linux Linux Kernel 6.6.14 Linux Linux Kernel 6.6.15 Linux Linux Kernel 6.6.16 Linux Linux Kernel 6.6.17 Linux Linux Kernel 6.6.18 Linux Linux Kernel 4.14.327 Linux Linux Kernel 6.5.7	123
OS	Debian Debian Debian Linux 10.0	1

Common Weakness Enumeration (CWE)

CWE-131 - Incorrect Calculation of Buffer Size

Common Attack Pattern Enumeration and Classification (CAPEC)

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References