{"id":"AZL-40168","summary":"CVE-2024-26882 affecting package kernel for versions less than 6.6.29.1-3","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()\n\nApply the same fix than ones found in :\n\n8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\")\n\nWe have to save skb-\u003enetwork_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb-\u003ehead.\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n  ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n  __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389\n  ipgre_rcv net/ipv4/ip_gre.c:411 [inline]\n  gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447\n  gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163\n  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n  dst_input include/net/dst.h:461 [inline]\n  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n  netif_receive_skb_internal net/core/dev.c:5734 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5793\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556\n  tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n  call_write_iter include/linux/fs.h:2087 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb6b/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n  __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133\n  alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204\n  skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909\n  tun_build_skb drivers/net/tun.c:1686 [inline]\n  tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n  call_write_iter include/linux/fs.h:2087 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb6b/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b","modified":"2026-04-01T05:13:33.619321Z","published":"2024-04-17T11:15:10Z","upstream":["CVE-2024-26882"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26882"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.29.1-3"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40168.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}