{"api_version":"1","generated_at":"2026-05-13T03:11:57+00:00","cve":"CVE-2024-50045","urls":{"html":"https://cve.report/CVE-2024-50045","api":"https://cve.report/api/cve/CVE-2024-50045.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-50045","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-50045"},"summary":{"title":"netfilter: br_netfilter: fix panic with metadata_dst skb","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: fix panic with metadata_dst skb\n\nFix a kernel panic in the br_netfilter module when sending untagged\ntraffic via a VxLAN device.\nThis happens during the check for fragmentation in br_nf_dev_queue_xmit.\n\nIt is dependent on:\n1) the br_netfilter module being loaded;\n2) net.bridge.bridge-nf-call-iptables set to 1;\n3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;\n4) untagged frames with size higher than the VxLAN MTU forwarded/flooded\n\nWhen forwarding the untagged packet to the VxLAN bridge port, before\nthe netfilter hooks are called, br_handle_egress_vlan_tunnel is called and\nchanges the skb_dst to the tunnel dst. The tunnel_dst is a metadata type\nof dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.\n\nThen in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check\nfor frames that needs to be fragmented: frames with higher MTU than the\nVxLAN device end up calling br_nf_ip_fragment, which in turns call\nip_skb_dst_mtu.\n\nThe ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst\nwith valid dst->dev, thus the crash.\n\nThis case was never supported in the first place, so drop the packet\ninstead.\n\nPING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.\n[  176.291791] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000110\n[  176.292101] Mem abort info:\n[  176.292184]   ESR = 0x0000000096000004\n[  176.292322]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  176.292530]   SET = 0, FnV = 0\n[  176.292709]   EA = 0, S1PTW = 0\n[  176.292862]   FSC = 0x04: level 0 translation fault\n[  176.293013] Data abort info:\n[  176.293104]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  176.293488]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  176.293787]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000\n[  176.294166] [0000000000000110] pgd=0000000000000000,\np4d=0000000000000000\n[  176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[  176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth\nbr_netfilter bridge stp llc ipv6 crct10dif_ce\n[  176.295923] CPU: 0 PID: 188 Comm: ping Not tainted\n6.8.0-rc3-g5b3fbd61b9d1 #2\n[  176.296314] Hardware name: linux,dummy-virt (DT)\n[  176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS\nBTYPE=--)\n[  176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[  176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]\n[  176.297636] sp : ffff800080003630\n[  176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:\nffff6828c49ad9f8\n[  176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:\n00000000000003e8\n[  176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:\nffff6828c3b16d28\n[  176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:\n0000000000000014\n[  176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:\n0000000095744632\n[  176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:\nffffb7e137926a70\n[  176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :\n0000000000000000\n[  176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :\nf20e0100bebafeca\n[  176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :\n0000000000000000\n[  176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :\nffff6828c7f918f0\n[  176.300889] Call trace:\n[  176.301123]  br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[  176.301411]  br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]\n[  176.301703]  nf_hook_slow+0x48/0x124\n[  176.302060]  br_forward_finish+0xc8/0xe8 [bridge]\n[  176.302371]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]\n[  176.302605]  br_nf_forward_finish+0x118/0x22c [br_netfilter]\n[  176.302824]  br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]\n[  176.303136]  br_nf_forward+0x2b8/0x4e0 [br_netfilter]\n[  176.303359]  nf_hook_slow+0x48/0x124\n[  176.303\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2024-10-21 20:15:17","updated_at":"2026-05-12 13:16:16"},"problem_types":["CWE-476"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-398330.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-398330.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f07131239a76cc10d5e82c19d91f53cb55727297","name":"https://git.kernel.org/stable/c/f07131239a76cc10d5e82c19d91f53cb55727297","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/915717e0bb9837cc5c101bc545af487bd787239e","name":"https://git.kernel.org/stable/c/915717e0bb9837cc5c101bc545af487bd787239e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3453f5839420bfbb85c86c61e49f49ffd0f041c4","name":"https://git.kernel.org/stable/c/3453f5839420bfbb85c86c61e49f49ffd0f041c4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/78ed917133b118661e1fe62d4a85d5d428ee9568","name":"https://git.kernel.org/stable/c/78ed917133b118661e1fe62d4a85d5d428ee9568","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803","name":"https://git.kernel.org/stable/c/95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cce8419b8168f6e7eb637103a47f916f3de8bc81","name":"https://git.kernel.org/stable/c/cce8419b8168f6e7eb637103a47f916f3de8bc81","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","name":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f9ff7665cd128012868098bbd07e28993e314fdb","name":"https://git.kernel.org/stable/c/f9ff7665cd128012868098bbd07e28993e314fdb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/75dfcb758015c97e1accd6340691fca67d363bed","name":"https://git.kernel.org/stable/c/75dfcb758015c97e1accd6340691fca67d363bed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-50045","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50045","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd f07131239a76cc10d5e82c19d91f53cb55727297 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd 75dfcb758015c97e1accd6340691fca67d363bed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd cce8419b8168f6e7eb637103a47f916f3de8bc81 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd 95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd 78ed917133b118661e1fe62d4a85d5d428ee9568 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd 3453f5839420bfbb85c86c61e49f49ffd0f041c4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd 915717e0bb9837cc5c101bc545af487bd787239e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd f9ff7665cd128012868098bbd07e28993e314fdb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.323 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.285 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.227 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.168 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.113 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.57 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11.4 6.11.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.0 V3.1.5 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"50045","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-50045","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-10-22T13:24:15.720711Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-10-22T13:28:43.698Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T22:24:51.294Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"V3.1.5","status":"affected","version":"V3.1.0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T12:00:09.406Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-398330.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/bridge/br_netfilter_hooks.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"f07131239a76cc10d5e82c19d91f53cb55727297","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"75dfcb758015c97e1accd6340691fca67d363bed","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"cce8419b8168f6e7eb637103a47f916f3de8bc81","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"78ed917133b118661e1fe62d4a85d5d428ee9568","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"3453f5839420bfbb85c86c61e49f49ffd0f041c4","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"915717e0bb9837cc5c101bc545af487bd787239e","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"},{"lessThan":"f9ff7665cd128012868098bbd07e28993e314fdb","status":"affected","version":"11538d039ac6efcf4f1a6c536e1b87cd3668a9fd","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/bridge/br_netfilter_hooks.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.11"},{"lessThan":"4.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.323","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.285","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.227","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.168","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.113","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.57","versionType":"semver"},{"lessThanOrEqual":"6.11.*","status":"unaffected","version":"6.11.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.12","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.323","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.285","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.227","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.168","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.113","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.57","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.11.4","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12","versionStartIncluding":"4.11","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: fix panic with metadata_dst skb\n\nFix a kernel panic in the br_netfilter module when sending untagged\ntraffic via a VxLAN device.\nThis happens during the check for fragmentation in br_nf_dev_queue_xmit.\n\nIt is dependent on:\n1) the br_netfilter module being loaded;\n2) net.bridge.bridge-nf-call-iptables set to 1;\n3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;\n4) untagged frames with size higher than the VxLAN MTU forwarded/flooded\n\nWhen forwarding the untagged packet to the VxLAN bridge port, before\nthe netfilter hooks are called, br_handle_egress_vlan_tunnel is called and\nchanges the skb_dst to the tunnel dst. The tunnel_dst is a metadata type\nof dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.\n\nThen in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check\nfor frames that needs to be fragmented: frames with higher MTU than the\nVxLAN device end up calling br_nf_ip_fragment, which in turns call\nip_skb_dst_mtu.\n\nThe ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst\nwith valid dst->dev, thus the crash.\n\nThis case was never supported in the first place, so drop the packet\ninstead.\n\nPING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.\n[  176.291791] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000110\n[  176.292101] Mem abort info:\n[  176.292184]   ESR = 0x0000000096000004\n[  176.292322]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  176.292530]   SET = 0, FnV = 0\n[  176.292709]   EA = 0, S1PTW = 0\n[  176.292862]   FSC = 0x04: level 0 translation fault\n[  176.293013] Data abort info:\n[  176.293104]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  176.293488]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  176.293787]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000\n[  176.294166] [0000000000000110] pgd=0000000000000000,\np4d=0000000000000000\n[  176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[  176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth\nbr_netfilter bridge stp llc ipv6 crct10dif_ce\n[  176.295923] CPU: 0 PID: 188 Comm: ping Not tainted\n6.8.0-rc3-g5b3fbd61b9d1 #2\n[  176.296314] Hardware name: linux,dummy-virt (DT)\n[  176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS\nBTYPE=--)\n[  176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[  176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]\n[  176.297636] sp : ffff800080003630\n[  176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:\nffff6828c49ad9f8\n[  176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:\n00000000000003e8\n[  176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:\nffff6828c3b16d28\n[  176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:\n0000000000000014\n[  176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:\n0000000095744632\n[  176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:\nffffb7e137926a70\n[  176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :\n0000000000000000\n[  176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :\nf20e0100bebafeca\n[  176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :\n0000000000000000\n[  176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :\nffff6828c7f918f0\n[  176.300889] Call trace:\n[  176.301123]  br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[  176.301411]  br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]\n[  176.301703]  nf_hook_slow+0x48/0x124\n[  176.302060]  br_forward_finish+0xc8/0xe8 [bridge]\n[  176.302371]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]\n[  176.302605]  br_nf_forward_finish+0x118/0x22c [br_netfilter]\n[  176.302824]  br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]\n[  176.303136]  br_nf_forward+0x2b8/0x4e0 [br_netfilter]\n[  176.303359]  nf_hook_slow+0x48/0x124\n[  176.303\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:44:25.711Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/f07131239a76cc10d5e82c19d91f53cb55727297"},{"url":"https://git.kernel.org/stable/c/75dfcb758015c97e1accd6340691fca67d363bed"},{"url":"https://git.kernel.org/stable/c/cce8419b8168f6e7eb637103a47f916f3de8bc81"},{"url":"https://git.kernel.org/stable/c/95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803"},{"url":"https://git.kernel.org/stable/c/78ed917133b118661e1fe62d4a85d5d428ee9568"},{"url":"https://git.kernel.org/stable/c/3453f5839420bfbb85c86c61e49f49ffd0f041c4"},{"url":"https://git.kernel.org/stable/c/915717e0bb9837cc5c101bc545af487bd787239e"},{"url":"https://git.kernel.org/stable/c/f9ff7665cd128012868098bbd07e28993e314fdb"}],"title":"netfilter: br_netfilter: fix panic with metadata_dst skb","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-50045","datePublished":"2024-10-21T19:39:43.117Z","dateReserved":"2024-10-21T12:17:06.071Z","dateUpdated":"2026-05-12T12:00:09.406Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-10-21 20:15:17","lastModifiedDate":"2026-05-12 13:16:16","problem_types":["CWE-476"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.10.227","matchCriteriaId":"E02B18E0-7618-4F55-A9D9-FC9A13DCDEEF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.168","matchCriteriaId":"4D51C05D-455B-4D8D-89E7-A58E140B864C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.113","matchCriteriaId":"D01BD22E-ACD1-4618-9D01-6116570BE1EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.57","matchCriteriaId":"05D83DB8-7465-4F88-AFB2-980011992AC1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.11.4","matchCriteriaId":"AA84D336-CE9A-4535-B901-1AD77EC17C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*","matchCriteriaId":"7F361E1D-580F-4A2D-A509-7615F73167A1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"50045","Ordinal":"1","Title":"netfilter: br_netfilter: fix panic with metadata_dst skb","CVE":"CVE-2024-50045","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"50045","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: fix panic with metadata_dst skb\n\nFix a kernel panic in the br_netfilter module when sending untagged\ntraffic via a VxLAN device.\nThis happens during the check for fragmentation in br_nf_dev_queue_xmit.\n\nIt is dependent on:\n1) the br_netfilter module being loaded;\n2) net.bridge.bridge-nf-call-iptables set to 1;\n3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;\n4) untagged frames with size higher than the VxLAN MTU forwarded/flooded\n\nWhen forwarding the untagged packet to the VxLAN bridge port, before\nthe netfilter hooks are called, br_handle_egress_vlan_tunnel is called and\nchanges the skb_dst to the tunnel dst. The tunnel_dst is a metadata type\nof dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.\n\nThen in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check\nfor frames that needs to be fragmented: frames with higher MTU than the\nVxLAN device end up calling br_nf_ip_fragment, which in turns call\nip_skb_dst_mtu.\n\nThe ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst\nwith valid dst->dev, thus the crash.\n\nThis case was never supported in the first place, so drop the packet\ninstead.\n\nPING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.\n[  176.291791] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000110\n[  176.292101] Mem abort info:\n[  176.292184]   ESR = 0x0000000096000004\n[  176.292322]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  176.292530]   SET = 0, FnV = 0\n[  176.292709]   EA = 0, S1PTW = 0\n[  176.292862]   FSC = 0x04: level 0 translation fault\n[  176.293013] Data abort info:\n[  176.293104]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  176.293488]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  176.293787]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000\n[  176.294166] [0000000000000110] pgd=0000000000000000,\np4d=0000000000000000\n[  176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[  176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth\nbr_netfilter bridge stp llc ipv6 crct10dif_ce\n[  176.295923] CPU: 0 PID: 188 Comm: ping Not tainted\n6.8.0-rc3-g5b3fbd61b9d1 #2\n[  176.296314] Hardware name: linux,dummy-virt (DT)\n[  176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS\nBTYPE=--)\n[  176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[  176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]\n[  176.297636] sp : ffff800080003630\n[  176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:\nffff6828c49ad9f8\n[  176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:\n00000000000003e8\n[  176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:\nffff6828c3b16d28\n[  176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:\n0000000000000014\n[  176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:\n0000000095744632\n[  176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:\nffffb7e137926a70\n[  176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :\n0000000000000000\n[  176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :\nf20e0100bebafeca\n[  176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :\n0000000000000000\n[  176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :\nffff6828c7f918f0\n[  176.300889] Call trace:\n[  176.301123]  br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[  176.301411]  br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]\n[  176.301703]  nf_hook_slow+0x48/0x124\n[  176.302060]  br_forward_finish+0xc8/0xe8 [bridge]\n[  176.302371]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]\n[  176.302605]  br_nf_forward_finish+0x118/0x22c [br_netfilter]\n[  176.302824]  br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]\n[  176.303136]  br_nf_forward+0x2b8/0x4e0 [br_netfilter]\n[  176.303359]  nf_hook_slow+0x48/0x124\n[  176.303\n---truncated---","Type":"Description","Title":"netfilter: br_netfilter: fix panic with metadata_dst skb"}]}}}