NVD

CVE-2024-26733 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK>

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 5.5 MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a	CVE, kernel.org	Patch
https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50	CVE, kernel.org	Patch
https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91	CVE, kernel.org	Patch
https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667	CVE, kernel.org	Patch
https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587	CVE, kernel.org	Patch
https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0	CVE, kernel.org	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html	CVE	Mailing List
https://security.netapp.com/advisory/ntap-20241101-0013/	CVE	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-787	Out-of-bounds Write	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

9 change records found show changes

CVE Modified by kernel.org 6/17/2026 3:18:12 AM

Action

Type

Old Value

New Value

Added

Affected

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/arp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"97eaa2955db4120ce6ec2ef123e860bc32232c50","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"f119f2325ba70cbfdec701000dcad4d88805d5b0","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"a3f2c083cb575d80a7627baf3339e78fedccbb91","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"a7d6027790acea24446ddd6632d394096c0f4667","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/arp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","versionType":"semver","status":"unaffected"},{"version":"5.10.211","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.150","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.80","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.19","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.7.7","lessThanOrEqual":"6.7.*","versionType":"semver","status":"unaffected"},{"version":"6.8","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Initial Analysis by NIST 3/17/2025 12:02:47 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE	CWE-787
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:8200_firmware:-::::::: OR cpe:2.3:h:netapp:8200::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:8300_firmware:-::::::: OR cpe:2.3:h:netapp:8300::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:8700_firmware:-::::::: OR cpe:2.3:h:netapp:8700::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:9000_firmware:-::::::: OR cpe:2.3:h:netapp:9000::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:9500_firmware:-::::::: OR cpe:2.3:h:netapp:9500::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a150_firmware:-::::::: OR cpe:2.3:h:netapp:a150::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a1k_firmware:-::::::: OR cpe:2.3:h:netapp:a1k::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a220_firmware:-::::::: OR cpe:2.3:h:netapp:a220::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a300_firmware:-::::::: OR cpe:2.3:h:netapp:a300::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a320_firmware:-::::::: OR cpe:2.3:h:netapp:a320::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a400_firmware:-::::::: OR cpe:2.3:h:netapp:a400::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a700_firmware:-::::::: OR cpe:2.3:h:netapp:a700::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a700s_firmware:-::::::: OR cpe:2.3:h:netapp:a700s::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a70_firmware:-::::::: OR cpe:2.3:h:netapp:a70::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a800_firmware:-::::::: OR cpe:2.3:h:netapp:a800::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a900_firmware:-::::::: OR cpe:2.3:h:netapp:a900::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:a90_firmware:-::::::: OR cpe:2.3:h:netapp:a90::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:c190_firmware:-::::::: OR cpe:2.3:h:netapp:c190::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:c400_firmware:-::::::: OR cpe:2.3:h:netapp:c400::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:c800_firmware:-::::::: OR cpe:2.3:h:netapp:c800::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:fas2720_firmware:-::::::: OR cpe:2.3:h:netapp:fas2720::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:fas2750_firmware:-::::::: OR cpe:2.3:h:netapp:fas2750::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:fas2820_firmware:-::::::: OR cpe:2.3:h:netapp:fas2820::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:h610c_firmware:-::::::: OR cpe:2.3:h:netapp:h610c::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:h610s_firmware:-::::::: OR cpe:2.3:h:netapp:h610s::::::::
Added	CPE Configuration	AND OR cpe:2.3:o:netapp:h615c_firmware:-::::::: OR cpe:2.3:h:netapp:h615c::::::::
Added	CPE Configuration	OR cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::* versions from (including) 11.0.0 up to (including) 11.70.2
Added	CPE Configuration	OR cpe:2.3:o:debian:debian_linux:10.0:::::::
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel:6.8:rc1::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.16 up to (excluding) 6.1.80 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.11 up to (excluding) 5.15.150 cpe:2.3:o:linux:linux_kernel:6.8:rc3::::::* cpe:2.3:o:linux:linux_kernel:6.8:rc4::::::* cpe:2.3:o:linux:linux_kernel:6.8:rc2::::::* cpe:2.3:o:linux:linux_kernel:5.10.211::::::: cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 2.6.12 up to (excluding) 5.10.211 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.19 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.7.7 cpe:2.3:o:linux:linux_kernel:6.8:rc5::::::*
Added	Reference Type	CVE: https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a Types: Patch
Added	Reference Type	CVE: https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 Types: Patch
Added	Reference Type	CVE: https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 Types: Patch
Added	Reference Type	CVE: https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 Types: Patch
Added	Reference Type	CVE: https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 Types: Patch
Added	Reference Type	CVE: https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 Types: Patch
Added	Reference Type	CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List
Added	Reference Type	CVE: https://security.netapp.com/advisory/ntap-20241101-0013/ Types: Third Party Advisory
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 Types: Patch

CVE Modified by CVE 11/21/2024 4:02:56 AM

Action	Type	New Value
Added	Reference	https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a
Added	Reference	https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50
Added	Reference	https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91
Added	Reference	https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667
Added	Reference	https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
Added	Reference	https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0
Added	Reference	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Added	Reference	https://security.netapp.com/advisory/ntap-20241101-0013/

New CVE Received from kernel.org 4/03/2024 1:15:51 PM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 3422 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES:
Added	Reference	kernel.org https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 [No types assigned]

Quick Info

CVE Dictionary Entry:
CVE-2024-26733
NVD Published Date:
04/03/2024
NVD Last Modified:
06/17/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2024-26733 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by CISA-ADP 6/17/2026 3:18:12 AM

CVE Modified by kernel.org 6/17/2026 3:18:12 AM

Initial Analysis by NIST 3/17/2025 12:02:47 PM

CVE Modified by CVE 11/21/2024 4:02:56 AM

CVE Modified by kernel.org 11/05/2024 5:15:45 AM

CVE Modified by kernel.org 6/25/2024 7:15:25 PM

CVE Modified by kernel.org 5/29/2024 2:16:59 AM

CVE Modified by kernel.org 5/14/2024 11:09:57 AM

New CVE Received from kernel.org 4/03/2024 1:15:51 PM

Quick Info