LiveActive security incident?Get immediate response
CVE Record

CVE-2024-44989: bonding: fix xfrm real_dev null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: bonding: fix xfrm real_dev null pointer dereference We shouldn't set real_dev to NULL because packets can be in transit and xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume real_dev is set. Example trace: kernel: BUG: unable to handle page fault for address: 0000000000001030 kernel: bond0: (slave eni0np1): making interface the new active one kernel: #PF: supervisor write access in kernel mode kernel: #PF: error_code(0x0002) - not-present page kernel: PGD 0 P4D 0 kernel: Oops: 0002 [#1] PREEMPT SMP kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12 kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f kernel: bond0: (slave eni0np1): making interface the new active one kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60 kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00 kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014 kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000 kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000 kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0 kernel: bond0: (slave eni0np1): making interface the new active one kernel: Call Trace: kernel: <TASK> kernel: ? __die+0x1f/0x60 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? page_fault_oops+0x142/0x4c0 kernel: ? do_user_addr_fault+0x65/0x670 kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50 kernel: bond0: (slave eni0np1): making interface the new active one kernel: ? exc_page_fault+0x7b/0x180 kernel: ? asm_exc_page_fault+0x22/0x30 kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): making interface the new active one kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding] kernel: xfrm_output+0x61/0x3b0 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ip_push_pending_frames+0x56/0x80

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-44989 is a Linux kernel crash bug in network bonding when used with XFRM/IPsec offload behavior. Under certain timing conditions, the kernel can dereference a null device pointer while packets are in transit. The likely business impact is availability loss on affected Linux systems using this networking configuration.

Executive priority

Prioritize patching for Linux systems supporting critical network paths, VPN/IPsec functions, or bonded interfaces. Treat as availability risk rather than confirmed data compromise. Escalate for appliances or OT products where kernel updates depend on vendor firmware releases.

Technical view

The Linux bonding driver could set real_dev to NULL while XFRM concurrently calls xdo_dev_offload_ok(). Bonding and device callbacks assume real_dev remains valid, causing a kernel null pointer dereference and Oops. The source trace shows the path through bond_ipsec_offload_ok(), xfrm_output(), and netdevsim IPsec offload handling.

Likely exposure

Exposure appears limited to Linux systems using bonding with XFRM/IPsec offload paths. The CVE record lists affected Linux kernel ranges and stable fixes. Systems not using bonding or relevant XFRM offload functionality are less likely to be practically exposed, but version and configuration should be verified.

Exploitation context

No active exploitation is indicated in the provided KEV status or cited sources. The described condition is a race involving packets in transit and bonding state changes. Public sources provided do not describe remote exploitability, privilege requirements, or a weaponized exploit.

Researcher notes

The CVE data lacks CVSS, CWE, and detailed exploitability analysis. The root cause is concurrency around real_dev lifetime in bonding and XFRM callbacks. Multiple stable kernel commits and Debian/Siemens advisories indicate vendor remediation activity, but product-specific impact should be validated per distribution or appliance guidance.

Mitigation direction

  • Upgrade to a kernel version containing the referenced stable fixes.
  • Apply Debian LTS or vendor-provided kernel updates where applicable.
  • For Siemens environments, review the linked Siemens ProductCERT advisories.
  • If immediate patching is blocked, consult vendor guidance for safe temporary configuration changes.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded systems.
  • Identify systems using bonding with XFRM or IPsec offload features.
  • Confirm installed kernels include the relevant stable fix commit or distro backport.
  • Review kernel logs for Oops traces involving bonding, xfrm_output, or bond_ipsec_offload_ok.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-44989 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
12Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux18cb261afd7bf50134e5ccacc5ec91ea16efadd4, 18cb261afd7bf50134e5ccacc5ec91ea16efadd4, 18cb261afd7bf50134e5ccacc5ec91ea16efadd4, 18cb261afd7bf50134e5ccacc5ec91ea16efadd4, 18cb261afd7bf50134e5ccacc5ec91ea16efadd4, 18cb261afd7bf50134e5ccacc5ec91ea16efadd4unaffected
LinuxLinux5.9, 0, 5.10.225, 5.15.166, 6.1.107, 6.6.48, 6.10.7, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.