NVD Vulnerability Detail

CVE-2024-26635

Summary	In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Publication Date	March 18, 2024, 8:15 p.m.
Registration Date	March 19, 2024, 10:01 a.m.
Last Update	March 11, 2025, 1:58 a.m.

CVSS3.1 : MEDIUM
スコア	5.5
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	高

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:linux:linux_kernel::::::::	6.7			6.7.3
cpe:2.3:o:linux:linux_kernel::::::::	6.2			6.6.15
cpe:2.3:o:linux:linux_kernel:6.8:rc1::::::
cpe:2.3:o:linux:linux_kernel::::::::	5.11			5.15.149
cpe:2.3:o:linux:linux_kernel::::::::	5.5			5.10.210
cpe:2.3:o:linux:linux_kernel::::::::	4.20			5.4.269
cpe:2.3:o:linux:linux_kernel::::::::	3.5			4.19.307
cpe:2.3:o:linux:linux_kernel::::::::	5.16			6.1.76

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:10.0:::::::*

Related information, measures and tools

No	URL	タグ
1	https://git.kernel.org/stable/c/165ad1e22779685c3ed3dd349c6c4c632309cc62	Mailing List Patch
2	https://git.kernel.org/stable/c/165ad1e22779685c3ed3dd349c6c4c632309cc62	Mailing List Patch
3	https://git.kernel.org/stable/c/660c3053d992b68fee893a0e9ec9159228cffdc6	Mailing List Patch
4	https://git.kernel.org/stable/c/660c3053d992b68fee893a0e9ec9159228cffdc6	Mailing List Patch
5	https://git.kernel.org/stable/c/9ccdef19cf9497c2803b005369668feb91cacdfd	Mailing List Patch
6	https://git.kernel.org/stable/c/9ccdef19cf9497c2803b005369668feb91cacdfd	Mailing List Patch
7	https://git.kernel.org/stable/c/b8e8838f82f332ae80c643dbb1ca4418d0628097	Mailing List Patch
8	https://git.kernel.org/stable/c/b8e8838f82f332ae80c643dbb1ca4418d0628097	Mailing List Patch
9	https://git.kernel.org/stable/c/c0fe2fe7a5a291dfcf6dc64301732c8d3dc6a828	Mailing List Patch
10	https://git.kernel.org/stable/c/c0fe2fe7a5a291dfcf6dc64301732c8d3dc6a828	Mailing List Patch
11	https://git.kernel.org/stable/c/df57fc2f2abf548aa889a36ab0bdcc94a75399dc	Mailing List Patch
12	https://git.kernel.org/stable/c/df57fc2f2abf548aa889a36ab0bdcc94a75399dc	Mailing List Patch
13	https://git.kernel.org/stable/c/e3f9bed9bee261e3347131764e42aeedf1ffea61	Mailing List Patch
14	https://git.kernel.org/stable/c/e3f9bed9bee261e3347131764e42aeedf1ffea61	Mailing List Patch
15	https://git.kernel.org/stable/c/f1f34a515fb1e25e85dee94f781e7869ae351fb8	Mailing List Patch
16	https://git.kernel.org/stable/c/f1f34a515fb1e25e85dee94f781e7869ae351fb8	Mailing List Patch
17	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html	Mailing List
18	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html	Mailing List

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-909	リソースの初期化の不備	https://cwe.mitre.org/data/definitions/909.html

JVN Vulnerability Information

Linux の Linux Kernel 等複数ベンダの製品におけるリソースの初期化の不備に関する脆弱性

Title	Linux の Linux Kernel 等複数ベンダの製品におけるリソースの初期化の不備に関する脆弱性
Summary	Linux の Linux Kernel 等複数ベンダの製品には、リソースの初期化の不備に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 19, 2024, midnight
Registration Date	March 13, 2025, 6:37 p.m.
Last Update	Aug. 20, 2025, 5:33 p.m.

Affected System

Debian

Debian GNU/Linux 10.0

Linux

Linux Kernel 3.5 以上 4.19.307 未満

Linux Kernel 4.20 以上 5.4.269 未満

Linux Kernel 5.11 以上 5.15.149 未満

Linux Kernel 5.16 以上 6.1.76 未満

Linux Kernel 5.5 以上 5.10.210 未満

Linux Kernel 6.2 以上 6.6.15 未満

Linux Kernel 6.7 以上 6.7.3 未満

Linux Kernel 6.8

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-26635	https://www.cve.org/CVERecord?id=CVE-2024-26635
National Vulnerability Database (NVD)
2	CVE-2024-26635	https://nvd.nist.gov/vuln/detail/CVE-2024-26635

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-909	https://cwe.mitre.org/data/definitions/909.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 3840-1] linux security update	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
2	[SECURITY] [DLA 3842-1] linux-5.10 security update	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Kernel.org git repositories
3	llc: Drop support for ETH_P_TR_802_2. (165ad1e)	https://git.kernel.org/stable/c/165ad1e22779685c3ed3dd349c6c4c632309cc62
4	llc: Drop support for ETH_P_TR_802_2. (660c305)	https://git.kernel.org/stable/c/660c3053d992b68fee893a0e9ec9159228cffdc6
5	llc: Drop support for ETH_P_TR_802_2. (9ccdef1)	https://git.kernel.org/stable/c/9ccdef19cf9497c2803b005369668feb91cacdfd
6	llc: Drop support for ETH_P_TR_802_2. (b8e8838)	https://git.kernel.org/stable/c/b8e8838f82f332ae80c643dbb1ca4418d0628097
7	llc: Drop support for ETH_P_TR_802_2. (c0fe2fe)	https://git.kernel.org/stable/c/c0fe2fe7a5a291dfcf6dc64301732c8d3dc6a828
8	llc: Drop support for ETH_P_TR_802_2. (df57fc2)	https://git.kernel.org/stable/c/df57fc2f2abf548aa889a36ab0bdcc94a75399dc
9	llc: Drop support for ETH_P_TR_802_2. (e3f9bed)	https://git.kernel.org/stable/c/e3f9bed9bee261e3347131764e42aeedf1ffea61
10	llc: Drop support for ETH_P_TR_802_2. (f1f34a5)	https://git.kernel.org/stable/c/f1f34a515fb1e25e85dee94f781e7869ae351fb8
Linux Kernel
11	Linux Kernel Archives	https://www.kernel.org

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-25-226-15	https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-15
JVN
2	JVNVU#92169998	https://jvn.jp/vu/JVNVU92169998/index.html

Change Log

No	Changed Details	Date of change
1	[2025年03月13日] 掲載	March 13, 2025, 6:37 p.m.
2	[2025年08月20日] 参考情報：JVN (JVNVU#92169998) を追加参考情報：ICS-CERT ADVISORY (ICSA-25-226-15) を追加	Aug. 20, 2025, 10:56 a.m.