net: openvswitch: fix overwriting ct original tuple for ICMPv6
Summary
| CVE | CVE-2024-38558 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-06-19 14:15:15 UTC |
| Updated | 2026-05-12 12:16:52 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-665
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 6a51ac92bf35d34b4996d6eb67e2fe469f573b11 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 0b532f59437f688563e9c58bdc1436fefa46e3b5 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 5ab6aecbede080b44b8e34720ab72050bf1e6982 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 483eb70f441e2df66ade78aa7217e6e4caadfef3 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 78741b4caae1e880368cb2f5110635f3ce45ecfd git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 431e9215576d7b728f3f53a704d237a520092120 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc d73fb8bddf89503c9fae7c42e50d44c89909aad6 git | Not specified |
| CNA | Linux | Linux | affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 7c988176b6c16c516474f6fceebe0f055af5eb56 git | Not specified |
| CNA | Linux | Linux | affected 4.11 | Not specified |
| CNA | Linux | Linux | unaffected 4.11 semver | Not specified |
| CNA | Linux | Linux | unaffected 4.19.316 4.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.4.278 5.4.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.219 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.161 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.93 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.33 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.8.12 6.8.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.9.3 6.9.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.10 * original_commit_for_fix | Not specified |
| ADP | Siemens | RUGGEDCOM RST2428P | affected V3.1 custom | Not specified |
| ADP | Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family | unaffected * custom | Not specified |
| ADP | Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 Family | affected V3.1 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem | affected * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-265688.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-613116.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2024/06/msg00020.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.