CVE-2024-49979
📋 TL;DR
A vulnerability in the Linux kernel's network Generic Segmentation Offload (GSO) handling allows TCP fragmentation list (fraglist) segmentation to fail when data is pulled into linear buffers by optional datapath hooks like NAT or BPF. This can cause kernel NULL pointer dereferences leading to denial of service. It affects Linux systems using TCP segmentation offload with fraglist packets.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash due to NULL pointer dereference, causing complete denial of service on affected systems.
Likely Case
System instability or crashes when processing specific TCP packets through NAT or BPF hooks, leading to service disruption.
If Mitigated
Minor performance impact from segmentation fallback without crashes if detection works correctly.
🎯 Exploit Status
Exploitation requires network access and ability to send specially crafted TCP packets that trigger the geometry corruption.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches (commits: 17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8, 2d4a83a44428de45bfe9dccb0192a3711d1097e0, 3fdd8c83e83fa5e82f1b5585245c51e0355c9f46)
Vendor Advisory: https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable TCP GSO
linuxDisable Generic Segmentation Offload for TCP to prevent the vulnerable code path
ethtool -K <interface> gso off
ethtool -K <interface> tso off
Disable problematic datapath hooks
linuxRemove or disable NAT/BPF hooks that pull data into linear buffers
Review and remove bpf_skb_pull_data calls in BPF programs
Disable NAT rules that might trigger the issue
🧯 If You Can't Patch
- Implement network filtering to block suspicious TCP packets
- Monitor system logs for kernel panic indicators and implement high availability failover
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with patched releases from your distribution. Vulnerable if using unpatched kernel with TCP GSO enabled.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the patch commits: grep -q '17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8\|2d4a83a44428de45bfe9dccb0192a3711d1097e0\|3fdd8c83e83fa5e82f1b5585245c51e0355c9f46' /proc/version📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- NULL pointer dereference errors in dmesg
- System crash/reboot logs
Network Indicators:
- Unusual TCP packet patterns triggering segmentation
- Increased packet drops on interfaces with GSO enabled
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "Oops") AND "tcp" AND "gso"