CVE-2024-35888
📋 TL;DR
A Linux kernel vulnerability in ERSPAN (Encapsulated Remote SPAN) packet processing allows attackers to trigger kernel memory corruption by sending specially crafted network packets. This affects systems with ERSPAN tunneling enabled, potentially leading to denial of service or kernel crashes. The vulnerability exists in both IPv4 and IPv6 ERSPAN implementations.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially allowing local privilege escalation if combined with other vulnerabilities.
Likely Case
System crash or kernel panic causing denial of service on affected systems with ERSPAN enabled.
If Mitigated
No impact if ERSPAN tunneling is disabled or systems are properly patched.
🎯 Exploit Status
Exploitation requires network access to ERSPAN-enabled interfaces and knowledge of ERSPAN packet structure. The vulnerability was discovered through fuzzing (syzbot).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 06a939f72a24a7d8251f84cf4c042df86c6666ac, 0ac328a5a4138a6c03dfc3f46017bd5c19167446, 17af420545a750f763025149fa7b833a4fc8b8f0, 1db7fcb2b290c47c202b79528824f119fa28937d, 4e3fdeecec5707678b0d1f18c259dadb97262e9d
Vendor Advisory: https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable ERSPAN tunneling
linuxDisable ERSPAN functionality if not required
# Check if ERSPAN modules are loaded
lsmod | grep -i erspan
# Unload modules if loaded
sudo modprobe -r ip6_gre
sudo modprobe -r ip_gre
Network filtering
linuxBlock ERSPAN traffic at network boundaries
# Example iptables rule to block ERSPAN (protocol 97)
sudo iptables -A INPUT -p 97 -j DROP
# For IPv6
sudo ip6tables -A INPUT -p 97 -j DROP
🧯 If You Can't Patch
- Disable ERSPAN tunneling completely if not required for operations
- Implement network segmentation to restrict ERSPAN traffic to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if ERSPAN modules are loaded: uname -r && lsmod | grep -i erspanCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and ERSPAN modules are either not loaded or updated📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- System crash/reboot events
- Network interface errors related to ERSPAN
Network Indicators:
- Unusual ERSPAN traffic patterns
- Malformed ERSPAN packets to vulnerable systems
SIEM Query:
source="kernel" AND ("panic" OR "BUG" OR "KMSAN") AND ("erspan" OR "ip6_gre" OR "ip_gre")🔗 References
- https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac
- https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446
- https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0
- https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d
- https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d
- https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85
- https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5
- https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7
- https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac
- https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446
- https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0
- https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d
- https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d
- https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85
- https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5
- https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
