PT-2024-8488 · Linux+9 · Linux Kernel+9
Syzbot
·
Published
2024-03-29
·
Updated
2025-09-29
·
CVE-2024-35888
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.9.0-rc1-syzkaller-00021-g962490525cff
Description
The issue is related to the erspan component in the Linux kernel, where the
ip6erspan rcv() function does not ensure that erspan base hdr is present in the skb linear part before accessing the @ver field. This can lead to an uninitialized value being used, potentially causing a denial-of-service. The vulnerability was reported by syzbot and is fixed by adding missing pskb may pull() calls.Recommendations
To resolve this issue, update the Linux kernel to a version that includes the fix, which is at least 6.9.0-rc1-syzkaller-00021-g962490525cff or later. If updating is not possible, consider disabling the erspan component as a temporary workaround to minimize the risk of exploitation.
Exploit
Fix
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu