CVE-2024-36933: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-36933 is a vulnerability discovered in the Linux kernel's Network Service Header (NSH) protocol implementation. The issue was identified in May 2024 and affects the nshgsosegment() function, which handles Generic Segmentation Offload (GSO) packets (NVD).

The vulnerability occurs in the NSH GSO handler's handling of protocol headers. The nshgsosegment() function incorrectly manages skb->protocol, data, and macheader for outer headers when processing GSO packets with layered protocols (ETHP8021AD + ETHPNSH + ETHPIPV6 + IPPROTOUDP). Two specific issues were identified: after setting protocol and pushing NSH header, skb->data points incorrectly to the NSH header causing outer header stripping, and the function fails to handle data shifts in the linear buffer during UDP fragmentation (Kernel Commit).

The vulnerability could lead to disclosure of sensitive information, modification of data, or Denial of Service (DoS). It has received a CVSS v3.1 score of 8.1 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

The vulnerability has been patched in various Linux kernel versions. The fix involves properly calculating the outer header position relative to the inner header and correctly setting skb->{data,mac_header,protocol} properties. Multiple distributions have released security updates, including Red Hat Enterprise Linux (RHSA) and Ubuntu (USN).