{"api_version":"1","generated_at":"2026-05-13T03:11:58+00:00","cve":"CVE-2024-38558","urls":{"html":"https://cve.report/CVE-2024-38558","api":"https://cve.report/api/cve/CVE-2024-38558.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-38558","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-38558"},"summary":{"title":"net: openvswitch: fix overwriting ct original tuple for ICMPv6","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.","state":"PUBLISHED","assigner":"Linux","published_at":"2024-06-19 14:15:15","updated_at":"2026-05-12 12:16:52"},"problem_types":["CWE-665"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3","name":"https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6","name":"https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56","name":"https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120","name":"https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982","name":"https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6","name":"https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11","name":"https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd","name":"https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5","name":"https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-38558","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38558","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 6a51ac92bf35d34b4996d6eb67e2fe469f573b11 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 0b532f59437f688563e9c58bdc1436fefa46e3b5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 5ab6aecbede080b44b8e34720ab72050bf1e6982 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 483eb70f441e2df66ade78aa7217e6e4caadfef3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 78741b4caae1e880368cb2f5110635f3ce45ecfd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 431e9215576d7b728f3f53a704d237a520092120 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc d73fb8bddf89503c9fae7c42e50d44c89909aad6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc 7c988176b6c16c516474f6fceebe0f055af5eb56 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.316 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.278 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.219 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.161 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.93 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.33 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.12 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9.3 6.9.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V3.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","version":"unaffected * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","version":"affected V3.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"38558","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-38558","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-06-24T18:25:00.443395Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-24T18:25:07.878Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-04T17:21:25.696Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V3.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","vendor":"Siemens","versions":[{"lessThan":"*","status":"unaffected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","vendor":"Siemens","versions":[{"lessThan":"V3.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:54:37.352Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/openvswitch/flow.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"6a51ac92bf35d34b4996d6eb67e2fe469f573b11","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"0b532f59437f688563e9c58bdc1436fefa46e3b5","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"5ab6aecbede080b44b8e34720ab72050bf1e6982","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"483eb70f441e2df66ade78aa7217e6e4caadfef3","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"78741b4caae1e880368cb2f5110635f3ce45ecfd","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"431e9215576d7b728f3f53a704d237a520092120","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"d73fb8bddf89503c9fae7c42e50d44c89909aad6","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"},{"lessThan":"7c988176b6c16c516474f6fceebe0f055af5eb56","status":"affected","version":"9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/openvswitch/flow.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.11"},{"lessThan":"4.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.316","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.278","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.219","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.161","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.93","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.33","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.12","versionType":"semver"},{"lessThanOrEqual":"6.9.*","status":"unaffected","version":"6.9.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.10","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.316","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.278","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.219","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.161","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.93","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.33","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.12","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9.3","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.10","versionStartIncluding":"4.11","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed."}],"providerMetadata":{"dateUpdated":"2026-05-11T20:19:00.331Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11"},{"url":"https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5"},{"url":"https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982"},{"url":"https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3"},{"url":"https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6"},{"url":"https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd"},{"url":"https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120"},{"url":"https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6"},{"url":"https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56"}],"title":"net: openvswitch: fix overwriting ct original tuple for ICMPv6","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-38558","datePublished":"2024-06-19T13:35:28.226Z","dateReserved":"2024-06-18T19:36:34.921Z","dateUpdated":"2026-05-12T11:54:37.352Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-06-19 14:15:15","lastModifiedDate":"2026-05-12 12:16:52","problem_types":["CWE-665"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"4.19.316","matchCriteriaId":"B7F75FBC-EB5C-493B-BE48-C659636156EA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.278","matchCriteriaId":"7FDBF235-DA18-49A1-8690-6C7272FD0701"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.219","matchCriteriaId":"E9063AF3-D593-43B7-810D-58B87F82F9F9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.161","matchCriteriaId":"31130639-53FE-4726-8986-434EE2528CB2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.93","matchCriteriaId":"EEFB78EE-F990-4197-BF1C-156760A55667"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.33","matchCriteriaId":"FCE796DF-3B50-4DC6-BAE5-95271068FC9E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8.12","matchCriteriaId":"80550309-67AB-4FD1-AC07-3DED5C4F01B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.9.3","matchCriteriaId":"E07124C1-19E8-4D21-828D-9932A01D3011"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"38558","Ordinal":"1","Title":"net: openvswitch: fix overwriting ct original tuple for ICMPv6","CVE":"CVE-2024-38558","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"38558","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.","Type":"Description","Title":"net: openvswitch: fix overwriting ct original tuple for ICMPv6"}]}}}