CVE-2024-26803 in Linux
Summary
by MITRE • 04/04/2024
In the Linux kernel, the following vulnerability has been resolved:
net: veth: clear GRO when clearing XDP even when down
veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery.
The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features.
Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances.
We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer.
Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/04/2025
The vulnerability described in CVE-2024-26803 resides within the Linux kernel's virtual ethernet device implementation, specifically affecting the veth network driver. This issue stems from improper handling of Generic Receive Offload (GRO) flag management when XDP (eXpress Data Path) is enabled or disabled on virtual network interfaces. The root cause lies in the separation of concerns between network interface lifecycle management and feature flag synchronization, creating a scenario where network configuration states become inconsistent. The veth driver automatically sets NETIF_F_GRO when XDP is enabled because both features utilize the same underlying NAPI (Network API) subsystem for packet processing. This architectural relationship creates dependencies that must be carefully managed during interface state transitions.
The technical flaw manifests when a veth interface undergoes a sequence of operations that leaves the network feature flags in an inconsistent state. During normal operation, when XDP is enabled on a veth device, the driver correctly sets the GRO flag to ensure proper packet handling through the shared NAPI infrastructure. However, when XDP is subsequently disabled while the interface is in a down state, the driver fails to clear the GRO flag due to a conditional check that skips flag modifications when the IFF_UP flag is not set. This design decision prevents feature flag changes during interface shutdown, but inadvertently prevents proper cleanup during XDP disable operations when the interface is down. The subsequent interface up operation fails to restore the feature flags to their correct state, leaving a stale GRO flag that references non-existent NAPI instances.
This inconsistency creates a dangerous condition where the network stack attempts to synchronize interface features after an XDP disable operation followed by interface up operation. When feature synchronization occurs through user-space tools like ethtool or peer configuration changes, the driver attempts to disable NAPI instances that were never properly initialized during the XDP disable phase. The system encounters either a kernel hang when attempting to disable already-initialized NAPI structures or a kernel crash when trying to stop uninitialized high-resolution timers. This vulnerability represents a classic case of improper resource management and state synchronization in kernel networking subsystems, with the flaw classified under CWE-691 as "Insufficient Control Flow Management" and potentially related to CWE-129 as "Improper Validation of Array Index". The issue directly impacts the Linux kernel's network stack reliability and can lead to system instability or denial of service conditions.
The operational impact of this vulnerability extends beyond simple network connectivity issues to potentially causing system-wide instability in environments heavily reliant on virtualized networking or containerized applications. Network administrators using veth interfaces for container networking, virtual machine interconnectivity, or software-defined networking configurations face risks of system crashes or hangs when transitioning XDP states on virtual interfaces. The vulnerability affects systems running Linux kernel versions where the problematic code path exists, particularly impacting cloud environments, container orchestration platforms, and virtualization setups that utilize veth pairs extensively. Mitigation strategies should focus on kernel version updates that address the specific synchronization issue in the veth driver's XDP and GRO flag management. Additionally, administrators should monitor for network interface state changes that involve XDP enable/disable operations followed by interface up/down transitions, as these sequences can trigger the vulnerability. The fix implemented in the kernel resolves the issue by separating GRO flag updates from interface lifecycle management, ensuring that feature flags are properly synchronized with XDP state changes regardless of interface operational status, thereby maintaining consistency in the NAPI subsystem's initialization state.