In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.
Published 2024-04-03 17:15:52
Updated 2024-04-03 17:24:18
Source Linux
View at NVD,

Exploit prediction scoring system (EPSS) score for CVE-2024-26752

Probability of exploitation activity in the next 30 days EPSS Score History
~ 11 %
Percentile, the proportion of vulnerabilities that are scored at or less

References for CVE-2024-26752

Products affected by CVE-2024-26752

The following product & version information is provided by We provide product & version information for most CVEs even if they are not available from NVD.
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!