PT-2024-33791 · Linux+11 · Linux Kernel+11

Syzbot

Published

2024-09-24

Updated

2025-09-29

CVE-2024-49949

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: The issue is related to a potential underflow in the qdisc pkt len init() function when handling UFO (UDP Fragmentation Offload) packets. This occurs after specific commits that introduced sanity checks to detect malicious attempts from user space to create bad GSO (Generic Segmentation Offload) packets. However, these checks allowed user space to craft a GSO packet that could lead to a crash in fq codel. The crash happens because qdisc pkt len init() sets gso segs to 0 and later attempts to access a null pointer, resulting in a kernel NULL pointer dereference.

Recommendations: To resolve this issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the fq codel queueing discipline until a patch is available. Restrict access to the vulnerable qdisc pkt len init() function to minimize the risk of exploitation. Avoid using the skb->len and hdr len variables in the affected API endpoints until the issue is resolved.

Exploit

Fix

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALSA-2024:10939

ALSA-2024:10943

ALSA-2024:10944

ALSA-2024_10939

ALSA-2024_10943

ALSA-2024_10944

ALSA-2025_12746

ALSA-2025_12752

ALSA-2025_12753

ALSA-2025_16880

ALT-PU-2024-14046

ALT-PU-2024-14270

ALT-PU-2024-15739

ALT-PU-2024-16172

AZL-52628

BDU:2025-04703

CESA-2024_10943

CESA-2024_10944

CVE-2024-49949

DLA-4008-1

DLA-4075-1

INFSA-2024_10939

INFSA-2024_10943

INFSA-2024_10944

MGASA-2024-0344

MGASA-2024-0345

OESA-2024-2424

OESA-2024-2425

OESA-2024-2426

OPENSUSE-SU-2024:14500-1

OPENSUSE-SU-2024_3983-1

OPENSUSE-SU-2024_3984-1

OPENSUSE-SU-2024_3985-1

OPENSUSE-SU-2024_3986-1

OPENSUSE-SU-2025:14705-1

RHSA-2024:10939

RHSA-2024:10943

RHSA-2024:10944

RHSA-2024_10939

RHSA-2024_10943

RHSA-2024_10944

RHSA-2025:2270

RLSA-2024:10943

RLSA-2024:10944

SUSE-SU-2024:3983-1

SUSE-SU-2024:3984-1

SUSE-SU-2024:3985-1

SUSE-SU-2024:3986-1

SUSE-SU-2024:4100-1

SUSE-SU-2024:4318-1

SUSE-SU-2024:4364-1

SUSE-SU-2024:4387-1

SUSE-SU-2025:0034-1

SUSE-SU-2025:20163-1

SUSE-SU-2025:20164-1

SUSE-SU-2025:20246-1

SUSE-SU-2025:20247-1

USN-7166-1

USN-7166-2

USN-7166-3

USN-7166-4

USN-7186-1

USN-7186-2

USN-7194-1

USN-7276-1

USN-7277-1

USN-7293-1

USN-7294-1

USN-7294-2

USN-7294-3

USN-7294-4

USN-7295-1

USN-7301-1

USN-7303-1

USN-7303-2

USN-7303-3

USN-7304-1

USN-7310-1

USN-7311-1

USN-7384-1

USN-7384-2

USN-7385-1

USN-7386-1

USN-7393-1

USN-7401-1

USN-7403-1

USN-7413-1

USN-7468-1

USN-7539-1

USN-7540-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Linux Kernel

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2024-33791 · Linux+11 · Linux Kernel+11

CVE-2024-49949

Weakness Enumeration

Related Identifiers

Affected Products

References · 3131