CVE-2024-26596: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
After the blamed commit, we started doing this dereference for every
NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.
static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
{
struct dsa_user_priv *p = netdev_priv(dev);
return p->dp;
}
Which is obviously bogus, because not all net_devices have a netdev_priv()
of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
and p->dp means dereferencing 8 bytes starting with offset 16. Most
drivers allocate that much private memory anyway, making our access not
fault, and we discard the bogus data quickly afterwards, so this wasn't
caught.
But the dummy interface is somewhat special in that it calls
alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
with a VLAN as its new upper:
$ ip link add dummy1 type dummy
$ ip link add link dummy1 name dummy1.100 type vlan id 100
[ 43.309174] ==================================================================
[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
[ 43.330058]
[ 43.342436] Call trace:
[ 43.366542] dsa_user_prechangeupper+0x30/0xe8
[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8
[ 43.375768] notifier_call_chain+0xa4/0x210
[ 43.379985] raw_notifier_call_chain+0x24/0x38
[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8
[ 43.389120] netdev_upper_dev_link+0x70/0xa8
[ 43.393424] register_vlan_dev+0x1bc/0x310
[ 43.397554] vlan_newlink+0x210/0x248
[ 43.401247] rtnl_newlink+0x9fc/0xe30
[ 43.404942] rtnetlink_rcv_msg+0x378/0x580
Avoid the kernel oops by dereferencing after the type check, as customary.
Security readout for executives and security teams
Plain-English summary
This Linux kernel bug can crash systems when certain network device relationship changes are processed. The flaw is in Distributed Switch Architecture event handling and stems from reading device-private memory before confirming the device type. The provided sources show a kernel oops example, but no evidence of active exploitation.
Executive priority
Prioritize patching where untrusted users or containers can perform network administration actions, and for appliances using Linux switch or VLAN features. Broad emergency response is not supported by the supplied evidence because severity, CVSS, and exploitation evidence are absent.
Technical view
The DSA netdevice notifier called netdev_priv() and dereferenced dsa_user_priv data for NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER events before verifying the netdevice was a DSA user device. Non-DSA devices, especially dummy devices with zero private data, can trigger an invalid read and KASAN slab-out-of-bounds oops. Fixes move dereferencing after type validation.
Likely exposure
Exposure is likely limited to Linux systems running affected kernel versions with relevant networking features available. Systems allowing local network administration operations, container networking, VLAN creation, dummy interfaces, or embedded switch configurations deserve priority review. The bundle does not prove remote exposure.
Exploitation context
The source example uses local network link operations to trigger a kernel oops. KEV is false, and the supplied bundle provides no cited evidence of active exploitation or public weaponization. Treat this primarily as a stability and potential denial-of-service risk pending vendor-specific guidance.
Researcher notes
The root issue is an ordering bug: dsa_user_to_port() dereferenced assumed DSA private data before checking the netdevice type. The demonstrated impact is slab out-of-bounds read leading to kernel oops. Sources identify stable commits, but the bundle does not provide CVSS, CWE, or complete affected range detail.
Mitigation direction
Update to a Linux kernel containing the referenced stable fixes.
Apply distribution kernel advisories, including Debian LTS where applicable.
Check Siemens ProductCERT guidance for affected Siemens products.
Restrict local network administration privileges to trusted users.
Review container privileges that allow network device creation or VLAN changes.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded products.
Compare installed kernels against affected versions and stable fix commits.
Check whether dummy, VLAN, DSA, or switchdev networking features are enabled.
Review vendor advisories for packaged kernel backports or product-specific status.
Confirm patched systems no longer report this CVE in vulnerability scans.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-26596 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.