[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-26804":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":21,"related":22,"reserved_at":9,"published_at":23,"modified_at":24,"state":9,"summary":25,"references_raw":27,"kevs":34,"epss":9,"epss_history":35,"metrics":36,"affected":43},"DEBIAN-CVE-2024-26804","In the Linux kernel, the following vulnerability has been resolved:  net: ip_tunnel: prevent perpetual headroom growth  syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..]  kasan_report+0xda/0x110 mm/kasan/report.c:588  __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170  skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]  ___skb_get_hash net/core/flow_dissector.c:1791 [inline]  __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856  skb_get_hash include/linux/skbuff.h:1556 [inline]  ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748  ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308  __netdev_start_xmit include/linux/netdevice.h:4940 [inline]  netdev_start_xmit include/linux/netdevice.h:4954 [inline]  xmit_one net/core/dev.c:3548 [inline]  dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564  __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349  dev_queue_xmit include/linux/netdevice.h:3134 [inline]  neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592  ...  ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235  ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323  ..  iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82  ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831  ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665  __netdev_start_xmit include/linux/netdevice.h:4940 [inline]  netdev_start_xmit include/linux/netdevice.h:4954 [inline]  xmit_one net/core/dev.c:3548 [inline]  dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564  ...  The splat occurs because skb->data points past skb->head allocated area. This is because neigh layer does:   __skb_pull(skb, skb_network_offset(skb));  ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned.  IOW, we skb->data gets \"adjusted\" by a huge value.  The negative value is returned because skb->head and skb->data distance is more than 64k and skb->network_header (u16) has wrapped around.  The bug is in the ip_tunnel infrastructure, which can cause dev->needed_headroom to increment ad infinitum.  The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel.  The ipip encapsulation finds gre0 as next output device.  This results in the following pattern:  1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0.  2). ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future output device, rt.dev->needed_headroom (ipip0).  3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion).  4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet.  tunl0->needed_headroom is then incremented based on the (already bumped) gre0 device headroom.  This repeats for every future packet:  gre0->needed_headroom gets inflated because previous packets' ipip0 step incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased.  For each subsequent packet, gre/ipip0->needed_headroom grows until post-expand-head reallocations result in a skb->head/data distance of more than 64k.  Once that happens, skb->network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation.  After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion.  The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb->data point to a memory location outside skb->head area.  v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely.",null,[],[],[],[14],{"_key":15},"CVE-2024-26804",[17,19],{"_key":18},"DLA-3842-1",{"_key":20},"DSA-5681-1",[],[],"2024-04-04T09:15:09.217Z","2026-04-28T20:27:41.662028Z",{"cisa_kev":26,"cisa_ransomware":26,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[28],{"url":29,"sources":30,"tags":32},"https://security-tracker.debian.org/tracker/CVE-2024-26804",[31],"osv_debian",[33],"Advisory",[],[],[37],{"source":31,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":38,"cvss_v4_0":9},{"baseScore":39,"baseSeverity":9,"vectorString":40,"impactScore":41,"exploitabilityScore":42},5.3,"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",2.3,10,[44],{"ecosystem":45,"name":46,"vendor":47,"product":46,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":46,"source":9,"versions":49},"Debian","linux","debian","deb",[50,56,59,62],{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":55,"fixed_in":9},"lt5_10_216_1",true,"ecosystem","5.10.216-1","excluding",{"version":57,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},"lt6_1_82_1","6.1.82-1",{"version":60,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":61,"version_end_type":55,"fixed_in":9},"lt6_7_9_1","6.7.9-1",{"version":60,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":61,"version_end_type":55,"fixed_in":9}]