CVE-2024-49979: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49979 affects the Linux kernel's networking subsystem, specifically related to TCP fraglist segmentation. The vulnerability was discovered in October 2024 and affects Linux kernel versions 6.10 through 6.10.14, 6.11 through 6.11.3, and 6.12-rc1. The issue occurs in the TCP GSO (Generic Segmentation Offload) fraglist handling when certain datapath hooks like NAT and BPF modify the SKB (socket buffer) structure (NVD).

The vulnerability stems from improper handling of TCP GSO fraglist SKBs after data manipulation by datapath hooks. Valid SKBGSOFRAGLIST SKBs should consist of two or more segments, where the headskb holds protocol headers plus first gsosize, and one or more fraglist SKBs hold exactly one segment. When datapath hooks like NAT and BPF (bpfskbpulldata) modify these SKBs, they can break these invariants, potentially pulling all data into SKB linear. This leads to a NULL pointer dereference in _tcpv4gsosegmentlistcsum at tcphdr(seg->next). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (Kernel Patch).

When exploited, this vulnerability can cause a NULL pointer dereference in the Linux kernel's networking stack, potentially leading to a system crash (denial of service). The issue affects the kernel's ability to properly handle TCP packet segmentation, which could impact network performance and stability (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves detecting TCP GSO fraglist SKBs with corrupted geometry and passing them to skbsegment instead of skbsegmentlist. The patch checks the headskb size to detect invalid geometry due to pull operations and converts the processing to use regular skb_segment when necessary (Kernel Patch).