CVE-2024-44999

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description The vulnerability is related to the use of uninitialized variables in the gtp dev xmit() function, which can lead to potential issues with confidentiality, integrity, and availability of protected information. The vulnerability was reported by syzbot/KMSAN and is caused by the lack of initialization of the IPv4 or IPv6 header in the skb->head before accessing its fields. To fix this issue, the pskb inet may pull() function should be used.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider disabling the gtp dev xmit() function until a patch is available. However, this may have unintended consequences and should be carefully evaluated before implementation.

Note: The provided information does not include details about the estimated number of potentially affected devices or real-world incidents where this issue was exploited.