LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26596: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events After the blamed commit, we started doing this dereference for every NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system. static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); return p->dp; } Which is obviously bogus, because not all net_devices have a netdev_priv() of type struct dsa_user_priv. But struct dsa_user_priv is fairly small, and p->dp means dereferencing 8 bytes starting with offset 16. Most drivers allocate that much private memory anyway, making our access not fault, and we discard the bogus data quickly afterwards, so this wasn't caught. But the dummy interface is somewhat special in that it calls alloc_netdev() with a priv size of 0. So every netdev_priv() dereference is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event with a VLAN as its new upper: $ ip link add dummy1 type dummy $ ip link add link dummy1 name dummy1.100 type vlan id 100 [ 43.309174] ================================================================== [ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374 [ 43.330058] [ 43.342436] Call trace: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.393424] register_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink+0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Avoid the kernel oops by dereferencing after the type check, as customary.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel bug can crash systems when certain network device relationship changes are processed. The flaw is in Distributed Switch Architecture event handling and stems from reading device-private memory before confirming the device type. The provided sources show a kernel oops example, but no evidence of active exploitation.

Executive priority

Prioritize patching where untrusted users or containers can perform network administration actions, and for appliances using Linux switch or VLAN features. Broad emergency response is not supported by the supplied evidence because severity, CVSS, and exploitation evidence are absent.

Technical view

The DSA netdevice notifier called netdev_priv() and dereferenced dsa_user_priv data for NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER events before verifying the netdevice was a DSA user device. Non-DSA devices, especially dummy devices with zero private data, can trigger an invalid read and KASAN slab-out-of-bounds oops. Fixes move dereferencing after type validation.

Likely exposure

Exposure is likely limited to Linux systems running affected kernel versions with relevant networking features available. Systems allowing local network administration operations, container networking, VLAN creation, dummy interfaces, or embedded switch configurations deserve priority review. The bundle does not prove remote exposure.

Exploitation context

The source example uses local network link operations to trigger a kernel oops. KEV is false, and the supplied bundle provides no cited evidence of active exploitation or public weaponization. Treat this primarily as a stability and potential denial-of-service risk pending vendor-specific guidance.

Researcher notes

The root issue is an ordering bug: dsa_user_to_port() dereferenced assumed DSA private data before checking the netdevice type. The demonstrated impact is slab out-of-bounds read leading to kernel oops. Sources identify stable commits, but the bundle does not provide CVSS, CWE, or complete affected range detail.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes.
  • Apply distribution kernel advisories, including Debian LTS where applicable.
  • Check Siemens ProductCERT guidance for affected Siemens products.
  • Restrict local network administration privileges to trusted users.
  • Review container privileges that allow network device creation or VLAN changes.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded products.
  • Compare installed kernels against affected versions and stable fix commits.
  • Check whether dummy, VLAN, DSA, or switchdev networking features are enabled.
  • Review vendor advisories for packaged kernel backports or product-specific status.
  • Confirm patched systems no longer report this CVE in vulnerability scans.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26596 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux4c3f80d22b2eca911143ce656fa45c4699ff5bf4, 4c3f80d22b2eca911143ce656fa45c4699ff5bf4, 4c3f80d22b2eca911143ce656fa45c4699ff5bf4, 4c3f80d22b2eca911143ce656fa45c4699ff5bf4unaffected
LinuxLinux6.1, 0, 6.1.129, 6.6.55, 6.7.2, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.