CVE-2024-26921 Overview
CVE-2024-26921 is a Linux kernel vulnerability in the IPv4 fragmentation reassembly path (inet_defrag). The flaw allows a socket reference (skb->sk) to be released while still in use during fragment reassembly in the transmit pipeline. Functions such as ip_local_out() pass skb->sk as an argument, and if reassembly occurs before the function returns, the socket can be freed prematurely. This affects fragments reassembled through netfilter, Open vSwitch, or ct_act.c when invoked from the tx pipeline. The vulnerability impacts availability and can lead to kernel memory corruption or system instability.
Critical Impact
A local user can trigger kernel-level memory accounting underflow or use-after-free conditions in the IPv4 defragmentation engine, resulting in denial of service on affected Linux systems.
Affected Products
- Linux Kernel (multiple stable branches prior to the fixed commits)
- Linux Kernel 6.9-rc1
- Debian LTS distributions shipping affected kernel versions
Discovery Timeline
- 2024-04-18 - CVE-2024-26921 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-26921
Vulnerability Analysis
The vulnerability stems from premature socket orphaning in the IPv4 fragment reassembly path. When ip_defrag() runs in the output path, it implicitly calls skb_orphan(), which detaches the socket from the socket buffer. However, the output path relies on skb->sk remaining valid until transmission completes.
When the kernel processes fragmented packets through netfilter hooks, Open vSwitch, or connection tracking actions (ct_act.c) during transmission, the reassembly engine can release the socket reference while upstream callers still hold pointers to it. Downstream components such as the Fair Queue (FQ) packet scheduler and net/ipv4/ip_output.c depend on a valid inet socket attached to the skb.
The issue is further complicated by refragmentation. If ip_do_fragment() runs immediately after reassembly, it copies head->sk to the new fragments and attaches sock_wfree as the destructor. This requires correct sk_wmem accounting to reflect the fully reassembled skb, otherwise socket write memory counters underflow.
Root Cause
The root cause is incorrect lifetime management of the socket reference during fragment reassembly. The ip_defrag_offset field is aliased with the sk_buff->sk member, forcing early orphaning that clobbers the socket pointer before downstream code consumes it. The fix moves the orphan operation deeper into the reassembly core and relocates the offset into FRAG_CB, preserving skb->sk until the reassembly outcome is known.
Attack Vector
A local attacker with the ability to send crafted fragmented IPv4 traffic through a network path that invokes netfilter conntrack, Open vSwitch, or ct_act.c reassembly during transmission can trigger the flaw. Exploitation does not require elevated privileges beyond the ability to generate network traffic, and the impact is concentrated on system availability through kernel instability or memory accounting corruption.
No public proof-of-concept exploit code is available for CVE-2024-26921. The vulnerability mechanism is documented in the upstream kernel commit messages referenced in the vendor advisories.
Detection Methods for CVE-2024-26921
Indicators of Compromise
- Kernel log entries referencing sk_wmem underflow, WARN_ON conditions in inet_frag.c, or use-after-free reports from KASAN in IPv4 reassembly paths
- Unexpected kernel panics or oopses correlated with fragmented IPv4 traffic on systems using netfilter conntrack, Open vSwitch, or eBPF-based connection tracking
- Degraded throughput or stalls in FQ-scheduled queues following fragmented traffic bursts
Detection Strategies
- Audit running kernel versions against the fixed commits listed in the vendor advisories using uname -r and distribution package metadata
- Enable KASAN and kernel debug logging in test environments to surface use-after-free conditions in ip_defrag() and related reassembly functions
- Monitor dmesg and /var/log/kern.log for warnings originating from net/ipv4/inet_fragment.c and net/ipv4/ip_fragment.c
Monitoring Recommendations
- Track kernel crash and reboot frequency on hosts running Open vSwitch, OVN, or netfilter-heavy workloads such as Kubernetes nodes
- Forward kernel logs to a centralized logging or SIEM platform and alert on stack traces involving inet_frag_queue, ip_defrag, or skb_orphan
- Correlate spikes in fragmented IPv4 traffic with kernel instability events on edge and gateway systems
How to Mitigate CVE-2024-26921
Immediate Actions Required
- Inventory all Linux systems and identify kernels predating the upstream fix commits referenced in the Linux kernel stable advisories
- Apply distribution-provided kernel updates, including those announced in the Debian LTS advisory
- Reboot updated systems to load the patched kernel, as live patching may not cover all affected code paths
- Prioritize patching on hosts running Open vSwitch, container networking stacks, or netfilter connection tracking
Patch Information
The Linux kernel maintainers released fixes across multiple stable branches. Relevant upstream commits include 18685451fc4e, 1b6de5e6575b, 4318608dc28e, 7d0567842b78, 9705f447bf9a, e09cbe017311, and f4877225313d. The patches relocate ip_defrag_offset into FRAG_CB and defer skb_orphan() until the reassembly engine determines whether the skb is queued or completing the reassembly.
Workarounds
- Where patching is not immediately feasible, disable netfilter connection tracking on the transmit path for workloads that do not require it
- Avoid running Open vSwitch or ct_act.c actions on kernels predating the fix when handling untrusted fragmented IPv4 traffic
- Restrict the ability of untrusted local users to generate arbitrary fragmented IPv4 traffic via network namespace isolation and tightened iptables rules
# Verify kernel version and confirm patched build is installed
uname -r
# Debian/Ubuntu: update kernel and reboot
sudo apt update && sudo apt upgrade linux-image-$(uname -r | sed 's/.*-//')
sudo reboot
# RHEL/CentOS/Rocky: update kernel and reboot
sudo dnf update kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
