PT-2024-26758 · Linux+10 · Linux Kernel+10

Published

2024-05-17

·

Updated

2026-05-26

·

CVE-2024-35839

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The issue arises when an skb is added to a neigh->arp queue while waiting for an arp reply, and the original skb's skb->dev can be different from neigh's neigh->dev. This can occur in bridging scenarios, such as when a dnated skb is sent from one veth to another, and the skb is added to a neigh->arp queue of the bridge. As a result, skb->dev can be reset back to nf bridge->physindev and used, potentially leading to a crash due to the lack of an explicit mechanism preventing physindev from being freed. The vulnerability can be exploited through the arp process, neigh update, br nf dev xmit, br nf pre routing finish bridge slow, and br handle frame finish functions.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Locking

Weakness Enumeration

CWE-667

Related Identifiers

ALSA-2024:5928
ALSA-2024:8856
ALSA-2024:8870
ALSA-2025_16880
AZL-67737
BDU:2025-13352
CESA-2024_8856
CESA-2024_8870
CVE-2024-35839
INFSA-2024_5928
INFSA-2024_8856
INFSA-2024_8870
OESA-2024-1682
OESA-2024-1737
OPENSUSE-SU-2025_0117-1
OPENSUSE-SU-2025_0153-1
OPENSUSE-SU-2025_0154-1
RHSA-2024:5928
RHSA-2024:6267
RHSA-2024:6268
RHSA-2024:8856
RHSA-2024:8870
RHSA-2024_5928
RHSA-2024_8856
RHSA-2024_8870
RLSA-2024:8856
RLSA-2024:8870
SUSE-SU-2025:0117-1
SUSE-SU-2025:0153-1
SUSE-SU-2025:0154-1
SUSE-SU-2025:02334-1
SUSE-SU-2025:0289-1
SUSE-SU-2025:20165-1
SUSE-SU-2025:20166-1
SUSE-SU-2025:20248-1
SUSE-SU-2025:20249-1
SUSE-SU-2025_02334-1
USN-6818-1
USN-6818-2
USN-6818-3
USN-6818-4
USN-6819-1
USN-6819-2
USN-6819-3
USN-6819-4

Affected Products

Almalinux
Astra Linux
Centos
Debian
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu