CVE-2024-36929 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
net: core: reject skb_copy(_expand) for fraglist GSO skbs
SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become invalid. Return NULL if such an skb is passed to skb_copy or skb_copy_expand, in order to prevent a crash on a potential later call to skb_gso_segment.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability identified as CVE-2024-36929 represents a critical flaw in the Linux kernel's networking subsystem that specifically targets the handling of Generic Segmentation Offload (GSO) skbs with fraglist characteristics. This issue resides within the network core component of the kernel where packet management occurs, making it particularly dangerous as it can affect the fundamental networking capabilities of affected systems. The vulnerability manifests when the kernel attempts to process certain types of network packets that have been marked with the SKB_GSO_FRAGLIST flag, which indicates that these packets are part of a fragmented transmission that requires special handling during segmentation operations.
The technical root cause of this vulnerability stems from the improper handling of fragment list GSO skbs during copy operations. When the kernel encounters an skb marked with SKB_GSO_FRAGLIST, it must not attempt to linearize these packets as doing so would invalidate the packet structure and corrupt the underlying data. The vulnerability occurs because the skb_copy and skb_copy_expand functions fail to properly validate whether the incoming skb has the fraglist flag set, allowing these operations to proceed with potentially invalid packet structures. This design flaw creates a scenario where subsequent calls to skb_gso_segment can trigger kernel crashes or system instability due to accessing corrupted memory structures. The vulnerability directly maps to CWE-121, which addresses stack-based buffer overflow conditions, and more specifically to CWE-122, which deals with heap-based buffer overflows, as the improper memory handling leads to invalid memory access patterns.
The operational impact of CVE-2024-36929 extends beyond simple system crashes, as it can potentially enable remote code execution under specific conditions. Attackers who can control network traffic to a vulnerable system may exploit this flaw by crafting malicious packets that trigger the problematic code path during packet processing. The vulnerability affects any Linux kernel version that includes the affected networking code, making it particularly concerning for enterprise environments where kernel updates may not be immediately deployed. Systems running network-intensive applications or serving as network gateways are at heightened risk, as these environments process large volumes of packets that could trigger the vulnerability. The issue also aligns with ATT&CK technique T1059.007, which covers command and control communications through remote services, as the kernel crash could potentially be leveraged to disrupt network services or create conditions for further exploitation.
Mitigation strategies for CVE-2024-36929 primarily focus on kernel updates that implement the proper validation checks for fraglist GSO skbs. The fix introduced in the patched kernel versions ensures that when skb_copy or skb_copy_expand functions encounter an SKB_GSO_FRAGLIST skb, they return NULL instead of attempting to process the invalid packet structure. This prevents the subsequent crash during skb_gso_segment calls by eliminating the possibility of operating on corrupted data. System administrators should prioritize applying the latest kernel security patches from their respective distributions, as the vulnerability cannot be effectively mitigated through configuration changes alone. Network monitoring solutions should also be enhanced to detect unusual packet patterns that might indicate exploitation attempts, particularly around GSO processing. Organizations running critical infrastructure should implement robust patch management procedures to ensure timely deployment of security updates, as this vulnerability could potentially be exploited to create denial of service conditions that impact network availability and system stability.