{"vulnerability": "CVE-2024-50045", "sightings": [{"uuid": "a5e2dbfa-fc79-4c9e-8d58-d95d9c2bfa3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-50045", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "cb7af37f-655e-4491-a363-6135d6d99484", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-50045", "type": "seen", "source": "https://t.me/cvedetector/8553", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-50045 - Linux kernel VXLAN br_netfilter Panic Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-50045 \nPublished : Oct. 21, 2024, 8:15 p.m. | 16\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnetfilter: br_netfilter: fix panic with metadata_dst skb \n \nFix a kernel panic in the br_netfilter module when sending untagged \ntraffic via a VxLAN device. \nThis happens during the check for fragmentation in br_nf_dev_queue_xmit. \n \nIt is dependent on: \n1) the br_netfilter module being loaded; \n2) net.bridge.bridge-nf-call-iptables set to 1; \n3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; \n4) untagged frames with size higher than the VxLAN MTU forwarded/flooded \n \nWhen forwarding the untagged packet to the VxLAN bridge port, before \nthe netfilter hooks are called, br_handle_egress_vlan_tunnel is called and \nchanges the skb_dst to the tunnel dst. The tunnel_dst is a metadata type \nof dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. \n \nThen in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check \nfor frames that needs to be fragmented: frames with higher MTU than the \nVxLAN device end up calling br_nf_ip_fragment, which in turns call \nip_skb_dst_mtu. \n \nThe ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst \nwith valid dst->dev, thus the crash. \n \nThis case was never supported in the first place, so drop the packet \ninstead. \n \nPING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. \n[ 176.291791] Unable to handle kernel NULL pointer dereference at \nvirtual address 0000000000000110 \n[ 176.292101] Mem abort info: \n[ 176.292184] ESR = 0x0000000096000004 \n[ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits \n[ 176.292530] SET = 0, FnV = 0 \n[ 176.292709] EA = 0, S1PTW = 0 \n[ 176.292862] FSC = 0x04: level 0 translation fault \n[ 176.293013] Data abort info: \n[ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 \n[ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 \n[ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \n[ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 \n[ 176.294166] [0000000000000110] pgd=0000000000000000, \np4d=0000000000000000 \n[ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP \n[ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth \nbr_netfilter bridge stp llc ipv6 crct10dif_ce \n[ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted \n6.8.0-rc3-g5b3fbd61b9d1 #2 \n[ 176.296314] Hardware name: linux,dummy-virt (DT) \n[ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS \nBTYPE=--) \n[ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] \n[ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] \n[ 176.297636] sp : ffff800080003630 \n[ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: \nffff6828c49ad9f8 \n[ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: \n00000000000003e8 \n[ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: \nffff6828c3b16d28 \n[ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: \n0000000000000014 \n[ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: \n0000000095744632 \n[ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: \nffffb7e137926a70 \n[ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : \n0000000000000000 \n[ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : \nf20e0100bebafeca \n[ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : \n0000000000000000 \n[ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : \nffff6828c7f918f0 \n[ 176.300889] Call trace: \n[ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] \n[ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] \n[ 176.301703] nf_hook_slow+0x48/0x124 \n[ 176.302060] br_forward_finish+0xc8[...]", "creation_timestamp": "2024-10-21T22:43:03.000000Z"}]}