{"api_version":"1","generated_at":"2026-05-13T18:23:56+00:00","cve":"CVE-2024-35973","urls":{"html":"https://cve.report/CVE-2024-35973","api":"https://cve.report/api/cve/CVE-2024-35973.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-35973","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-35973"},"summary":{"title":"geneve: fix header validation in geneve[6]_xmit_skb","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024","state":"PUBLISHED","assigner":"Linux","published_at":"2024-05-20 10:15:12","updated_at":"2026-05-12 12:16:44"},"problem_types":["CWE-908","CWE-noinfo Not enough information"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef","name":"https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536","name":"https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e","name":"https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852","name":"https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915","name":"https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670","name":"https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79","name":"https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c","name":"https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-35973","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35973","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 35385daa8db320d2d9664930c28e732578b0d7de 43be590456e1f3566054ce78ae2dbb68cbe1a536 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6f92124d74419797fadfbcd5b7a72c384a6413ad d3adf11d7993518a39bd02b383cfe657ccc0023c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 71ad9260c001b217d704cda88ecea251b2d367da 10204df9beda4978bd1d0c2db0d8375bfb03b915 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d13f048dd40e8577260cd43faea8ec9b77520197 3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d13f048dd40e8577260cd43faea8ec9b77520197 4a1b65d1e55d53b397cb27014208be1e04172670 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d13f048dd40e8577260cd43faea8ec9b77520197 190d9efa5773f26d6f334b1b8be282c4fa13fd5e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d13f048dd40e8577260cd43faea8ec9b77520197 357163fff3a6e48fe74745425a32071ec9caf852 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d13f048dd40e8577260cd43faea8ec9b77520197 d8a6213d70accb403b82924a1c229e733433a5ef git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9a51e36ebf433adf59c051bec33f5aa54640bb4d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 21815f28af8081b258552c111774ff320cf38d38 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.13","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.313 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.275 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.216 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.156 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.87 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.28 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.7 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V3.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","version":"unaffected * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","version":"affected V3.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"35973","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2024-35973","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-05-29T18:16:33.435108Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"description":"CWE-noinfo Not enough information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2024-10-29T19:56:09.359Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-02T03:21:49.047Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V3.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","vendor":"Siemens","versions":[{"lessThan":"*","status":"unaffected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","vendor":"Siemens","versions":[{"lessThan":"V3.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:53:20.615Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/geneve.c","include/net/ip_tunnels.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"43be590456e1f3566054ce78ae2dbb68cbe1a536","status":"affected","version":"35385daa8db320d2d9664930c28e732578b0d7de","versionType":"git"},{"lessThan":"d3adf11d7993518a39bd02b383cfe657ccc0023c","status":"affected","version":"6f92124d74419797fadfbcd5b7a72c384a6413ad","versionType":"git"},{"lessThan":"10204df9beda4978bd1d0c2db0d8375bfb03b915","status":"affected","version":"71ad9260c001b217d704cda88ecea251b2d367da","versionType":"git"},{"lessThan":"3c1ae6de74e3d2d6333d29a2d3e13e6094596c79","status":"affected","version":"d13f048dd40e8577260cd43faea8ec9b77520197","versionType":"git"},{"lessThan":"4a1b65d1e55d53b397cb27014208be1e04172670","status":"affected","version":"d13f048dd40e8577260cd43faea8ec9b77520197","versionType":"git"},{"lessThan":"190d9efa5773f26d6f334b1b8be282c4fa13fd5e","status":"affected","version":"d13f048dd40e8577260cd43faea8ec9b77520197","versionType":"git"},{"lessThan":"357163fff3a6e48fe74745425a32071ec9caf852","status":"affected","version":"d13f048dd40e8577260cd43faea8ec9b77520197","versionType":"git"},{"lessThan":"d8a6213d70accb403b82924a1c229e733433a5ef","status":"affected","version":"d13f048dd40e8577260cd43faea8ec9b77520197","versionType":"git"},{"status":"affected","version":"9a51e36ebf433adf59c051bec33f5aa54640bb4d","versionType":"git"},{"status":"affected","version":"21815f28af8081b258552c111774ff320cf38d38","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/geneve.c","include/net/ip_tunnels.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.13"},{"lessThan":"5.13","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.313","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.275","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.216","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.156","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.87","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.28","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.9","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.313","versionStartIncluding":"4.19.191","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.275","versionStartIncluding":"5.4.119","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.216","versionStartIncluding":"5.10.37","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.156","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.87","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.28","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.7","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.21","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12.4","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:14:47.242Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536"},{"url":"https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c"},{"url":"https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915"},{"url":"https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79"},{"url":"https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670"},{"url":"https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e"},{"url":"https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852"},{"url":"https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef"}],"title":"geneve: fix header validation in geneve[6]_xmit_skb","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-35973","datePublished":"2024-05-20T09:42:00.475Z","dateReserved":"2024-05-17T13:50:33.142Z","dateUpdated":"2026-05-12T11:53:20.615Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-05-20 10:15:12","lastModifiedDate":"2026-05-12 12:16:44","problem_types":["CWE-908","CWE-noinfo Not enough information"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.191","versionEndExcluding":"4.19.313","matchCriteriaId":"8DE67B9E-F9D2-4FE3-A847-2EA2AC09F9FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.119","versionEndExcluding":"5.4.275","matchCriteriaId":"0951500F-5B0E-44FA-BD8D-C942D21B1F1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.37","versionEndExcluding":"5.10.216","matchCriteriaId":"3C6008FE-823E-46E6-9409-2900A14D2611"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.21","versionEndExcluding":"5.12","matchCriteriaId":"5D4778B3-2521-408B-900C-9048E76A0D8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12.4","versionEndExcluding":"5.15.156","matchCriteriaId":"2C3529E0-954E-4B6E-AB01-04096743E8AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.87","matchCriteriaId":"BDA59296-EDB8-44CD-98E4-C08C051569E6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.28","matchCriteriaId":"8D6315B0-B3BA-406C-B0DB-51D9A63753F0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8.7","matchCriteriaId":"531BDFB5-EF6A-4707-902E-146368303499"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*","matchCriteriaId":"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*","matchCriteriaId":"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*","matchCriteriaId":"52048DDA-FC5A-4363-95A0-A6357B4D7F8C"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"35973","Ordinal":"1","Title":"geneve: fix header validation in geneve[6]_xmit_skb","CVE":"CVE-2024-35973","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"35973","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024","Type":"Description","Title":"geneve: fix header validation in geneve[6]_xmit_skb"}]}}}