LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26752: l2tp: pass correct message length to ip6_append_data

In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-26752 is a Linux kernel L2TP-over-IPv6 bug where the kernel used the wrong message length calculation. The documented result is corrupted packets on the wire, not a proven takeover or data theft path. Priority depends on whether affected Linux kernels run systems using L2TP with IPv6.

Executive priority

Handle through normal kernel patch governance, with higher priority for VPN, tunneling, or network-edge systems. There is no source-backed evidence of active exploitation, but affected kernel networking code should not remain unpatched indefinitely.

Technical view

In l2tp_ip6_sendmsg, C operator precedence caused ulen to resolve incorrectly, effectively using the transport header length for nonzero messages. This double-counted transport header handling when appending data to a partially occupied skbuff. Kernel stable commits correct the calculation with parentheses.

Likely exposure

Exposure is most likely on Linux systems running affected kernel builds with L2TP over IPv6 enabled or used. General Linux servers without L2TP/IPv6 use have lower practical exposure. The supplied version data requires vendor package mapping before declaring specific fleet impact.

Exploitation context

The bundle does not show CISA KEV listing, public exploitation, exploit code, or a CVSS score. The stated observable impact is corrupted packets. Treat active exploitation as unproven based on the provided sources.

Researcher notes

The source evidence is narrow: it documents a corrected length calculation and packet corruption. It does not establish confidentiality, privilege escalation, remote code execution, or denial-of-service impact. Validate exposure by kernel lineage and L2TP IPv6 usage, not CVE presence alone.

Mitigation direction

  • Update affected Linux kernels to vendor releases containing the stable fix.
  • Prioritize systems using L2TP, IPv6 tunneling, VPN, or network edge roles.
  • Review Debian LTS advisories if running Debian LTS kernels.
  • If immediate patching is blocked, check vendor guidance for supported mitigations.
  • Avoid declaring remediation complete until package versions map to fixed kernel builds.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and VPN endpoints.
  • Identify hosts with L2TP over IPv6 enabled or in active use.
  • Map installed vendor kernel packages to the referenced stable fixes.
  • Confirm post-update kernels include the corrected l2tp_ip6_sendmsg patch.
  • Check network monitoring for unexplained L2TP IPv6 packet corruption symptoms.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26752 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux559d697c5d072593d22b3e0bd8b8081108aeaf59, 1fc793d68d50dee4782ef2e808913d5dd880bcc6, 96b2e1090397217839fcd6c9b6d8f5d439e705ed, cd1189956393bf850b2e275e37411855d3bd86bb, f6a7182179c0ed788e3755ee2ed18c888ddcc33f, 9d4c75800f61e5d75c1659ba201b6c0c7ead3070, 9d4c75800f61e5d75c1659ba201b6c0c7ead3070, 9d4c75800f61e5d75c1659ba201b6c0c7ead3070, 7626b9fed53092aa2147978070e610ecb61af844, fe80658c08e3001c80c5533cd41abfbb0e0e28fd, 4.19.296, 5.4.258, 5.10.198, 5.15.135, 6.1.57, 4.14.327, 6.5.7unaffected
LinuxLinux6.6, 0, 4.19.308, 5.4.270, 5.10.211, 5.15.150, 6.1.80, 6.6.19, 6.7.7, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.