CVE-2024-49948 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net: add more sanity checks to qdisc_pkt_len_init()
One path takes care of SKB_GSO_DODGY, assuming skb->len is bigger than hdr_len.
virtio_net_hdr_to_skb() does not fully dissect TCP headers, it only make sure it is at least 20 bytes.
It is possible for an user to provide a malicious 'GSO' packet, total length of 80 bytes.
- 20 bytes of IPv4 header - 60 bytes TCP header - a small gso_size like 8
virtio_net_hdr_to_skb() would declare this packet as a normal GSO packet, because it would see 40 bytes of payload, bigger than gso_size.
We need to make detect this case to not underflow qdisc_skb_cb(skb)->pkt_len.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/18/2026
The vulnerability CVE-2024-49948 represents a critical flaw in the Linux kernel's networking subsystem that affects the handling of Generic Segmentation Offload (GSO) packets within the qdisc_pkt_len_init() function. This issue stems from insufficient validation checks during the processing of network packets that utilize GSO capabilities, creating a potential avenue for denial of service attacks and malformed packet exploitation. The vulnerability specifically impacts the virtio_net driver's ability to properly dissect TCP headers, which leads to incorrect packet length calculations and subsequent buffer underflow conditions.
The technical implementation flaw occurs when the virtio_net_hdr_to_skb() function processes packets with maliciously crafted GSO configurations. This function performs incomplete TCP header dissection, only ensuring that the header meets a minimum size requirement of 20 bytes rather than fully validating the complete header structure. When an attacker constructs a packet with a total length of 80 bytes consisting of a 20-byte IPv4 header, 60-byte TCP header, and a minimal gso_size of 8 bytes, the system incorrectly identifies this as a normal GSO packet. The function perceives 40 bytes of payload exceeding the gso_size threshold, leading to erroneous packet length calculations that fail to account for the actual packet structure.
The operational impact of this vulnerability extends beyond simple packet processing failures to potentially enable more sophisticated attack vectors. When qdisc_skb_cb(skb)->pkt_len experiences underflow conditions due to the incorrect packet length calculations, it creates a state where the kernel's packet queueing system operates on invalid data. This condition can result in kernel memory corruption, system instability, and potential privilege escalation opportunities. The vulnerability particularly affects systems running virtualized environments that rely heavily on virtio_net drivers, making cloud computing platforms and virtual machine deployments especially susceptible to exploitation.
Mitigation strategies for CVE-2024-49948 require immediate kernel updates from vendors that include the patched qdisc_pkt_len_init() function with enhanced sanity checks. System administrators should prioritize applying security patches that implement proper validation of GSO packet structures before processing, ensuring that TCP header dissection completes fully rather than relying on minimum size assumptions. The fix addresses the underlying CWE-129 vulnerability category related to insufficient boundary checking, while also providing protection against potential ATT&CK techniques involving kernel memory manipulation and privilege escalation. Organizations should also implement network monitoring to detect anomalous GSO packet patterns and establish robust patch management processes to prevent exploitation of similar vulnerabilities in the networking stack.
The resolution of this vulnerability demonstrates the critical importance of comprehensive input validation in kernel space operations, particularly when handling network protocols that involve complex header structures and segmentation mechanisms. This flaw exemplifies how seemingly minor implementation shortcuts in protocol handling can create significant security risks, emphasizing the need for rigorous testing of edge cases in kernel networking code. The fix reinforces defensive programming principles that require complete header validation rather than partial assumptions, thereby preventing similar issues from arising in other network processing functions that may be vulnerable to analogous underflow conditions.