CVE-2024-26752

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-26752

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26752.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-26752

Downstream

BELL-CVE-2024-26752

DEBIAN-CVE-2024-26752

DLA-3840-1

DLA-3842-1

DSA-5681-1

OESA-2024-1566

OESA-2024-1567

OESA-2024-1569

OESA-2024-1570

OESA-2024-1571

OESA-2024-1618

SUSE-SU-2024:1979-1

SUSE-SU-2024:1983-1

SUSE-SU-2024:2184-1

UBUNTU-CVE-2024-26752

USN-6820-1

USN-6820-2

USN-6821-1

USN-6821-2

USN-6821-3

USN-6821-4

USN-6828-1

USN-6831-1

USN-6867-1

USN-6871-1

USN-6892-1

USN-6919-1

Related

Published

2024-04-03T17:00:37.340Z

Modified

2026-03-14T12:27:41.307626Z

Summary

l2tp: pass correct message length to ip6_append_data

Details

In the Linux kernel, the following vulnerability has been resolved:

l2tp: pass correct message length to ip6appenddata

l2tpip6sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff.

To manage this, we check whether the skbuff contains data using skbqueueempty when deciding how much data to append using ip6appenddata.

However, the code which performed the calculation was incorrect:

 ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;

...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire.

Add parentheses to correct the calculation in line with the original intent.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26752.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

559d697c5d072593d22b3e0bd8b8081108aeaf59

Fixed

4c3ce64bc9d36ca9164dd6c77ff144c121011aae

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1fc793d68d50dee4782ef2e808913d5dd880bcc6

Fixed

c1d3a84a67db910ce28a871273c992c3d7f9efb5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

96b2e1090397217839fcd6c9b6d8f5d439e705ed

Fixed

dcb4d14268595065c85dc5528056713928e17243

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

cd1189956393bf850b2e275e37411855d3bd86bb

Fixed

0da15a70395182ee8cb75716baf00dddc0bea38d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f6a7182179c0ed788e3755ee2ed18c888ddcc33f

Fixed

13cd1daeea848614e585b2c6ecc11ca9c8ab2500

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9d4c75800f61e5d75c1659ba201b6c0c7ead3070

Fixed

804bd8650a3a2bf3432375f8c97d5049d845ce56

Fixed

83340c66b498e49353530e41542500fc8a4782d6

Fixed

359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

7626b9fed53092aa2147978070e610ecb61af844

Last affected

fe80658c08e3001c80c5533cd41abfbb0e0e28fd

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26752.json"