{"id":"CVE-2024-26882","summary":"net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()\n\nApply the same fix than ones found in :\n\n8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\")\n\nWe have to save skb-\u003enetwork_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb-\u003ehead.\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n  ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n  __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389\n  ipgre_rcv net/ipv4/ip_gre.c:411 [inline]\n  gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447\n  gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163\n  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n  dst_input include/net/dst.h:461 [inline]\n  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n  netif_receive_skb_internal net/core/dev.c:5734 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5793\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556\n  tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n  call_write_iter include/linux/fs.h:2087 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb6b/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n  __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133\n  alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204\n  skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909\n  tun_build_skb drivers/net/tun.c:1686 [inline]\n  tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n  call_write_iter include/linux/fs.h:2087 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb6b/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b","modified":"2026-04-02T10:06:17.565733Z","published":"2024-04-17T10:27:38.389Z","related":["SUSE-SU-2024:1644-1","SUSE-SU-2024:1659-1","SUSE-SU-2024:1663-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26882.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5c03387021cfa3336b97e0dcba38029917a8af2a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60044ab84836359534bd7153b92e9c1584140e4a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/77fd5294ea09b21f6772ac954a121b87323cec80"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b0ec2abf98267f14d032102551581c833b0659d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c4c857723b37c20651300b3de4ff25059848b4b0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ca914f1cdee8a85799942c9b0ce5015bbd6844e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f6723d8dbfdc10c784a56748f86a9a3cd410dbd5"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26882.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26882"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241220-0002/"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c54419321455631079c7d6e60bc732dd0c5914c5"},{"fixed":"ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b"},{"fixed":"77fd5294ea09b21f6772ac954a121b87323cec80"},{"fixed":"5c03387021cfa3336b97e0dcba38029917a8af2a"},{"fixed":"60044ab84836359534bd7153b92e9c1584140e4a"},{"fixed":"c4c857723b37c20651300b3de4ff25059848b4b0"},{"fixed":"f6723d8dbfdc10c784a56748f86a9a3cd410dbd5"},{"fixed":"ca914f1cdee8a85799942c9b0ce5015bbd6844e1"},{"fixed":"b0ec2abf98267f14d032102551581c833b0659d3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26882.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}