{"id":"CVE-2024-49978","summary":"gso: fix udp gso fraglist segmentation after pull from frag_list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ngso: fix udp gso fraglist segmentation after pull from frag_list\n\nDetect gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For UDP, this\ncauses a NULL ptr deref in __udpv4_gso_segment_list_csum at\nudp_hdr(seg-\u003enext)-\u003edest.\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.","modified":"2026-04-16T04:31:34.110743852Z","published":"2024-10-21T18:02:25.151Z","related":["SUSE-SU-2025:0428-1","SUSE-SU-2025:0499-1","SUSE-SU-2025:0557-1","SUSE-SU-2025:0564-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49978.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49978.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49978"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9fd1ff5d2ac7181844735806b0a703c942365291"},{"fixed":"080e6c9a3908de193a48f646c5ce1bfb15676ffc"},{"fixed":"af3122f5fdc0d00581d6e598a668df6bf54c9daa"},{"fixed":"33e28acf42ee863f332a958bfc2f1a284a3659df"},{"fixed":"3cd00d2e3655fad3bda96dc1ebf17b6495f86fea"},{"fixed":"a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49978.json"}}],"schema_version":"1.7.5"}