ID

VAR-202410-3207


CVE

CVE-2024-49949


TITLE

Linux  of  Linux Kernel  In  NULL  Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-012433

DESCRIPTION

In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---. Linux of Linux Kernel for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on SINEC OS with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) and human-machine interfaces (HMIs). Multiple vulnerabilities exist in third-party components prior to SIEMENS SINEC OS V3.2. These vulnerabilities could be exploited to corrupt values, leading to undefined behavior or security issues

Trust: 2.16

sources: NVD: CVE-2024-49949 // JVNDB: JVNDB-2024-012433 // CNVD: CNVD-2025-19350

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-19350

AFFECTED PRODUCTS

vendor:linuxmodel:kernelscope:eqversion:6.12

Trust: 1.8

vendor:linuxmodel:kernelscope:ltversion:5.10

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:6.10.14

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:6.2

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:5.10.227

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:5.15.168

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:4.19.218

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:5.15.5

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:4.19

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:5.4

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:5.4.162

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:5.16

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:6.11

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:4.14.256

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:6.6.55

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:6.1.113

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:6.7

Trust: 1.0

vendor:linuxmodel:kernelscope:ltversion:6.11.3

Trust: 1.0

vendor:linuxmodel:kernelscope:gteversion:5.10.82

Trust: 1.0

vendor:linuxmodel:kernelscope:eqversion:6.7 that's all 6.10.14

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:4.19.218 that's all 5.4

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:5.4.162 that's all 5.10

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion: -

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:6.11 that's all 6.11.3

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:5.10.82 that's all 5.10.227

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:5.15.5 that's all 5.15.168

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:4.14.256 that's all 4.19

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:5.16 that's all 6.1.113

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:6.2 that's all 6.6.55

Trust: 0.8

vendor:siemensmodel:ruggedcom rst2428pscope:ltversion:v3.2

Trust: 0.6

vendor:siemensmodel:scalance xc-300/xr-300/xc-400/xr-500wg/xr-500 familyscope:ltversion:v3.2

Trust: 0.6

vendor:siemensmodel:scalance xcm-/xrm-/xch-/xrh-300 familyscope:ltversion:v3.2

Trust: 0.6

sources: CNVD: CNVD-2025-19350 // JVNDB: JVNDB-2024-012433 // NVD: CVE-2024-49949

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2024-49949
value: MEDIUM

Trust: 1.0

NVD: CVE-2024-49949
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2025-19350
value: HIGH

Trust: 0.6

CNVD: CNVD-2025-19350
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2024-49949
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2024-49949
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-19350 // JVNDB: JVNDB-2024-012433 // NVD: CVE-2024-49949

PROBLEMTYPE DATA

problemtype:CWE-476

Trust: 1.0

problemtype:NULL Pointer dereference (CWE-476) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-012433 // NVD: CVE-2024-49949

PATCH

title:Linux Kernel Archivesurl:https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d

Trust: 0.8

title:Patch for Multiple vulnerabilities exist in third-party components of SIEMENS SINEC OS V3.2 and earlierurl:https://www.cnvd.org.cn/patchInfo/show/723061

Trust: 0.6

sources: CNVD: CNVD-2025-19350 // JVNDB: JVNDB-2024-012433

EXTERNAL IDS

db:NVDid:CVE-2024-49949

Trust: 2.6

db:SIEMENSid:SSA-355557

Trust: 1.6

db:SIEMENSid:SSA-265688

Trust: 1.0

db:SIEMENSid:SSA-398330

Trust: 1.0

db:JVNDBid:JVNDB-2024-012433

Trust: 0.8

db:CNVDid:CNVD-2025-19350

Trust: 0.6

sources: CNVD: CNVD-2025-19350 // JVNDB: JVNDB-2024-012433 // NVD: CVE-2024-49949

REFERENCES

url:https://cert-portal.siemens.com/productcert/html/ssa-355557.html

Trust: 1.6

url:https://cert-portal.siemens.com/productcert/html/ssa-398330.html

Trust: 1.0

url:https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1

Trust: 1.0

url:https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac

Trust: 1.0

url:https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Trust: 1.0

url:https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c

Trust: 1.0

url:https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c

Trust: 1.0

url:https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b

Trust: 1.0

url:https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Trust: 1.0

url:https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Trust: 1.0

url:https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1

Trust: 1.0

url:https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72

Trust: 1.0

url:https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174

Trust: 1.0

url:https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2024-49949

Trust: 0.8

sources: CNVD: CNVD-2025-19350 // JVNDB: JVNDB-2024-012433 // NVD: CVE-2024-49949

SOURCES

db:CNVDid:CNVD-2025-19350
db:JVNDBid:JVNDB-2024-012433
db:NVDid:CVE-2024-49949

LAST UPDATE DATE

2026-06-18T19:08:48.328000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-19350date:2025-08-22T00:00:00
db:JVNDBid:JVNDB-2024-012433date:2024-11-13T01:17:00
db:NVDid:CVE-2024-49949date:2026-05-12T12:17:18.633

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-19350date:2025-08-12T00:00:00
db:JVNDBid:JVNDB-2024-012433date:2024-11-13T00:00:00
db:NVDid:CVE-2024-49949date:2024-10-21T18:15:16.323