Linux Kernel up to 46.1.84/6.6.25/6.8.4/6.9-rc1 ct_act.c ip_local_out privilege escalation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.4 | $0-$5k | 0.00 |
Summary
A vulnerability described as problematic has been identified in Linux Kernel up to 46.1.84/6.6.25/6.8.4/6.9-rc1. The affected element is the function ip_local_out of the file ct_act.c. Such manipulation leads to an unknown weakness.
This vulnerability is documented as CVE-2024-26921. There is not any exploit available.
Upgrading the affected component is recommended.
Details
A vulnerability was found in Linux Kernel up to 46.1.84/6.6.25/6.8.4/6.9-rc1. It has been rated as problematic. Affected by this issue is the function ip_local_out of the file ct_act.c. The impact remains unknown. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.
The advisory is shared for download at git.kernel.org. This vulnerability is handled as CVE-2024-26921 since 02/19/2024. The exploitation is known to be easy. There are known technical details, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 210084 (Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-072)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.1.85, 6.6.26, 6.8.5 or 6.9-rc2 eliminates this vulnerability. Applying the patch 7d0567842b78/f4877225313d/e09cbe017311/18685451fc4e is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (210084) and CERT Bund (WID-SEC-2025-1293). Once again VulDB remains the best source for vulnerability data.
Affected
- Ubuntu Linux
- IBM DataPower Gateway
Product
Type
Vendor
Name
Version
- 6.6.0
- 6.6.1
- 6.6.2
- 6.6.3
- 6.6.4
- 6.6.5
- 6.6.6
- 6.6.7
- 6.6.8
- 6.6.9
- 6.6.10
- 6.6.11
- 6.6.12
- 6.6.13
- 6.6.14
- 6.6.15
- 6.6.16
- 6.6.17
- 6.6.18
- 6.6.19
- 6.6.20
- 6.6.21
- 6.6.22
- 6.6.23
- 6.6.24
- 6.6.25
- 6.8.0
- 6.8.1
- 6.8.2
- 6.8.3
- 6.8.4
- 6.9-rc1
- 46.1.0
- 46.1.1
- 46.1.2
- 46.1.3
- 46.1.4
- 46.1.5
- 46.1.6
- 46.1.7
- 46.1.8
- 46.1.9
- 46.1.10
- 46.1.11
- 46.1.12
- 46.1.13
- 46.1.14
- 46.1.15
- 46.1.16
- 46.1.17
- 46.1.18
- 46.1.19
- 46.1.20
- 46.1.21
- 46.1.22
- 46.1.23
- 46.1.24
- 46.1.25
- 46.1.26
- 46.1.27
- 46.1.28
- 46.1.29
- 46.1.30
- 46.1.31
- 46.1.32
- 46.1.33
- 46.1.34
- 46.1.35
- 46.1.36
- 46.1.37
- 46.1.38
- 46.1.39
- 46.1.40
- 46.1.41
- 46.1.42
- 46.1.43
- 46.1.44
- 46.1.45
- 46.1.46
- 46.1.47
- 46.1.48
- 46.1.49
- 46.1.50
- 46.1.51
- 46.1.52
- 46.1.53
- 46.1.54
- 46.1.55
- 46.1.56
- 46.1.57
- 46.1.58
- 46.1.59
- 46.1.60
- 46.1.61
- 46.1.62
- 46.1.63
- 46.1.64
- 46.1.65
- 46.1.66
- 46.1.67
- 46.1.68
- 46.1.69
- 46.1.70
- 46.1.71
- 46.1.72
- 46.1.73
- 46.1.74
- 46.1.75
- 46.1.76
- 46.1.77
- 46.1.78
- 46.1.79
- 46.1.80
- 46.1.81
- 46.1.82
- 46.1.83
- 46.1.84
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.4
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Privilege escalationCWE: Unknown
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 210084
Nessus Name: Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-072)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 6.1.85/6.6.26/6.8.5/6.9-rc2
Patch: 7d0567842b78/f4877225313d/e09cbe017311/18685451fc4e
Timeline
02/19/2024 🔍04/18/2024 🔍
04/18/2024 🔍
12/04/2025 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2024-26921 (🔍)
GCVE (CVE): GCVE-0-2024-26921
GCVE (VulDB): GCVE-100-261476
CERT Bund: WID-SEC-2025-1293 - IBM DataPower Gateway: Mehrere Schwachstellen
Entry
Created: 04/18/2024 12:57Updated: 12/04/2025 21:13
Changes: 04/18/2024 12:57 (56), 11/02/2024 11:26 (2), 11/08/2024 19:38 (1), 09/16/2025 20:09 (10), 12/04/2025 21:13 (7)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.