CVE-2024-26752
Published: Apr 3, 2024
Modified: May 23, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 559d697c5d072593d22b3e0bd8b8081108aeaf59 - < 4c3ce64bc9d36ca9164dd6c77ff144c121011aaeaffected 1fc793d68d50dee4782ef2e808913d5dd880bcc6 - < c1d3a84a67db910ce28a871273c992c3d7f9efb5affected 96b2e1090397217839fcd6c9b6d8f5d439e705ed - < dcb4d14268595065c85dc5528056713928e17243affected cd1189956393bf850b2e275e37411855d3bd86bb - < 0da15a70395182ee8cb75716baf00dddc0bea38daffected f6a7182179c0ed788e3755ee2ed18c888ddcc33f - < 13cd1daeea848614e585b2c6ecc11ca9c8ab2500+12 more versions |
Linux | Linux | affected 6.6unaffected 0 - < 6.6unaffected 4.19.308 - <= 4.19.*unaffected 5.4.270 - <= 5.4.*unaffected 5.10.211 - <= 5.10.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now