CVE-2024-26921 Overview
CVE-2024-26921 is a vulnerability in the Linux kernel's IPv4 fragment reassembly mechanism (inet_defrag) that can lead to a denial of service condition. The flaw exists in the way the kernel handles socket (sk) references during IP packet defragmentation in the output path, potentially causing premature socket release while still in use by downstream network functions.
Critical Impact
Local attackers with low privileges can trigger a denial of service by exploiting improper socket reference handling during fragmented packet reassembly, leading to kernel crashes or system instability.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.9-rc1
- Systems using netfilter, Open vSwitch, or ct_act.c modules for fragmented packet handling
Discovery Timeline
- April 18, 2024 - CVE-2024-26921 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-26921
Vulnerability Analysis
The vulnerability occurs in the Linux kernel's IP defragmentation code path when handling fragmented packets in the transmit (TX) pipeline. Functions such as ip_local_out() pass skb->sk (socket buffer's socket reference) as a function argument. When a fragmented packet is reassembled via ip_defrag() before the function returns, the socket reference can be prematurely released through skb_orphan(), causing a use-after-free condition.
This issue specifically affects packet fragments processed through netfilter or similar modules like Open vSwitch (openvswitch) or connection tracking (ct_act.c). When ip_defrag() is called in the output path, it implicitly orphans the socket buffer, which is problematic because downstream components like the FQ (Fair Queue) packet scheduler depend on the socket reference remaining valid.
The root of the problem lies in the aliasing of ip_defrag_offset with the sk_buff->sk member, which causes the socket reference to be corrupted during defragmentation processing.
Root Cause
The root cause is improper socket reference management during IP fragment reassembly. The ip_defrag() function calls skb_orphan() unconditionally, which releases the socket reference too early. This is problematic when the packet is processed in the output path where downstream functions (such as packet schedulers and routing code) rely on skb->sk being valid and pointing to an inet socket.
Additionally, the ip_defrag_offset field is aliased with sk_buff->sk, meaning that storing the fragment offset overwrites the socket reference, leading to memory corruption.
Attack Vector
This vulnerability requires local access with low privileges to exploit. An attacker can trigger the vulnerability by:
- Crafting or manipulating network traffic that results in fragmented IP packets being processed through the TX pipeline
- Ensuring the packets traverse modules like netfilter, Open vSwitch, or connection tracking
- Timing the fragment reassembly to occur while socket references are still needed by downstream packet processing functions
The exploitation leads to socket memory accounting underflow (sk_wmem), potential use-after-free conditions, and ultimately kernel crashes or system instability.
The fix moves the socket orphaning operation to the last possible moment, relocates the offset into the FRAG_CB structure to prevent socket reference corruption, and properly handles socket reference stealing and write memory accounting during reassembly completion.
Detection Methods for CVE-2024-26921
Indicators of Compromise
- Unexpected kernel panics or oops messages referencing ip_defrag, inet_frag, or socket-related functions
- Write memory (sk_wmem) accounting errors or underflows in kernel logs
- System instability when handling fragmented IP traffic through netfilter or Open vSwitch
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for crashes involving ip_defrag(), skb_orphan(), or socket-related null pointer dereferences
- Deploy SentinelOne Singularity Platform to detect anomalous kernel behavior and potential exploitation attempts
- Implement network monitoring to identify unusual patterns of fragmented traffic targeting vulnerable systems
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information for analysis
- Monitor systems running Open vSwitch, netfilter with connection tracking, or other packet processing modules for unusual behavior
- Use SentinelOne's behavioral AI to detect and respond to kernel-level anomalies in real-time
How to Mitigate CVE-2024-26921
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- Prioritize patching on systems that process significant amounts of fragmented IP traffic
- Review and audit systems running Open vSwitch, netfilter, or connection tracking modules
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix moves the orphaning operation to the core at the last possible moment, relocates the fragment offset into FRAG_CB to prevent socket reference corruption, and properly handles socket reference management during reassembly.
Patches are available through the kernel git repository:
- Kernel Patch Commit 18685451fc4e
- Kernel Patch Commit 1b6de5e6575b
- Kernel Patch Commit 4318608dc28e
- Kernel Patch Commit 7d0567842b78
Debian users should refer to the Debian LTS Security Announcement for distribution-specific updates.
Workarounds
- If immediate patching is not possible, consider limiting exposure by reducing fragmented traffic processing through affected modules
- Monitor systems closely for signs of instability while awaiting patch deployment
- Implement network segmentation to limit local access to potentially vulnerable systems
# Check current kernel version
uname -r
# Verify if your distribution has released patches
# For Debian/Ubuntu:
apt-cache policy linux-image-$(uname -r)
# For RHEL/CentOS:
yum info kernel-$(uname -r)
# Apply available security updates
# Debian/Ubuntu:
sudo apt update && sudo apt upgrade
# RHEL/CentOS:
sudo yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
