CVE-2024-49978 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
gso: fix udp gso fraglist segmentation after pull from frag_list
Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly.
Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants.
In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest.
Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability CVE-2024-49978 addresses a critical issue in the Linux kernel's Generic Segmentation Offload (GSO) implementation specifically affecting UDP packet handling. This flaw exists within the network stack's packet segmentation logic where the kernel must properly handle fragmented packets that are being processed through the GSO mechanism. The vulnerability stems from improper handling of SKB_GSO_FRAGLIST skbs when optional datapath hooks such as Network Address Translation (NAT) or Berkeley Packet Filter (BPF) operations modify these packets, causing the segmentation invariants to become corrupted. When these modified skbs are processed through the UDP GSO fraglist path, the kernel's assumptions about packet structure break down, leading to potential system instability.
The technical root cause involves the kernel's expectation that GSO fraglist skbs maintain specific geometric invariants during packet processing. Valid fraglist skbs must consist of a head_skb containing protocol headers plus the first gso_size of data, with one or more frag_list skbs each holding exactly one segment, where all segments except the last must be exactly gso_size in length. However, when optional hooks like bpf_skb_pull_data operate on these packets, they can pull all data into the linear portion of the skb, completely disrupting the expected structure. This corruption particularly affects UDP packets where the __udpv4_gso_segment_list_csum function attempts to access the destination port field from a NULL pointer dereference when processing the seg->next->udp_hdr structure. The vulnerability represents a classic case of improper error handling and validation where the kernel fails to detect corrupted packet structures and gracefully handle them instead of crashing.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable denial of service attacks against network services running on Linux systems. When an attacker can trigger the specific conditions that cause the bpf_skb_pull_data hook to modify fraglist skbs inappropriately, they can force the kernel into a state where it attempts to access NULL pointers during UDP packet processing. This can result in kernel oops, system hangs, or even complete system crashes depending on the specific conditions and timing of the attack. The vulnerability affects systems that utilize GSO with UDP traffic and optional datapath hooks, making it particularly concerning for network appliances, firewalls, and any system that relies on BPF or NAT operations in conjunction with high-throughput UDP packet processing. The security implications align with CWE-476 which addresses null pointer dereference vulnerabilities, and could potentially map to ATT&CK technique T1499.004 for network disruption through system resource exhaustion or instability.
The mitigation strategy involves implementing proper validation checks within the kernel's packet processing pipeline to detect when fraglist skbs have been corrupted by optional datapath hooks. The solution requires detecting invalid geometry due to pull operations by examining head_skb size and converting problematic skbs to a format that can be properly handled by the regular skb_segment function instead of attempting to process them through the specialized fraglist path that causes the NULL pointer dereference. This approach ensures that corrupted packets are handled gracefully rather than causing system crashes, maintaining system stability while preserving network functionality. The fix essentially transforms potentially fatal errors into recoverable conditions that allow network traffic to continue flowing normally, preventing the blackholing of network destinations that could occur if the packets were simply dropped. This defensive programming approach aligns with secure coding practices that emphasize proper error detection and graceful degradation rather than system crashes when encountering unexpected input conditions.