CVE-2024-26733 | arp: Prevent overflow in arp_req_get().

In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK>

Published: 2024-04-03 Last update: 2025-03-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-26733 is rated Low Risk (22.1/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.01%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-26733

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.08% 0.01% -0.07%
2 2025-11-18 0.04% 0.08% +0.04%
3 2025-03-30 0.04%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-26733

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.5 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 3.6 [email protected]

Weakness enumeration for CVE-2024-26733

OS Trackers for CVE-2024-26733

vendor priority summary link
debian not yet assigned CVE-2024-26733 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2024-26733
redhat medium https://access.redhat.com/security/cve/CVE-2024-26733
suse medium CVE-2024-26733 severity moderate: SUSE including 671 source package names (15.5:kernel-default-devel-5.14.21-150500.55.62.2, 15.5:kernel-devel-5.14.21-150500.55.62.2, …), 1386 product×package rows across 299 product lines (Container bci/bci-sle15-kernel-module-devel, Container suse/sle-micro-rancher/5.2, … (299 product lines)): Fixed 1186, Known Affected 200. https://www.suse.com/security/cve/CVE-2024-26733/
ubuntu medium CVE-2024-26733 medium priority: Ubuntu including 160 source packages (linux, linux-allwinner-5.19, …), 1686 status rows across 11 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1267, released 196, ignored 134, not-affected 87, needs-triage 2. https://ubuntu.com/security/CVE-2024-26733

Affected software / configurations for CVE-2024-26733

Vendor Product Version Raw CPE
linux linux_kernel >= 2.6.12, < 5.10.211 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.11, < 5.15.150 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.16, < 6.1.80 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.2, < 6.6.19 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.7, < 6.7.7 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 5.10.211 cpe:2.3:o:linux:linux_kernel:5.10.211:*:*:*:*:*:*:*
linux linux_kernel 6.8 cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
linux linux_kernel 6.8 cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
linux linux_kernel 6.8 cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
linux linux_kernel 6.8 cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
linux linux_kernel 6.8 cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
netapp a1k_firmware cpe:2.3:o:netapp:a1k_firmware:-:*:*:*:*:*:*:*
netapp a70_firmware cpe:2.3:o:netapp:a70_firmware:-:*:*:*:*:*:*:*
netapp a90_firmware cpe:2.3:o:netapp:a90_firmware:-:*:*:*:*:*:*:*
netapp a700s_firmware cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*
netapp 8300_firmware cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:*
netapp 8700_firmware cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:*
netapp a400_firmware cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*
netapp c400_firmware cpe:2.3:o:netapp:c400_firmware:-:*:*:*:*:*:*:*
netapp a320_firmware cpe:2.3:o:netapp:a320_firmware:-:*:*:*:*:*:*:*
netapp a800_firmware cpe:2.3:o:netapp:a800_firmware:-:*:*:*:*:*:*:*
netapp c800_firmware cpe:2.3:o:netapp:c800_firmware:-:*:*:*:*:*:*:*
netapp a900_firmware cpe:2.3:o:netapp:a900_firmware:-:*:*:*:*:*:*:*
netapp 9500_firmware cpe:2.3:o:netapp:9500_firmware:-:*:*:*:*:*:*:*
netapp c190_firmware cpe:2.3:o:netapp:c190_firmware:-:*:*:*:*:*:*:*
netapp a150_firmware cpe:2.3:o:netapp:a150_firmware:-:*:*:*:*:*:*:*
netapp a220_firmware cpe:2.3:o:netapp:a220_firmware:-:*:*:*:*:*:*:*
netapp fas2720_firmware cpe:2.3:o:netapp:fas2720_firmware:-:*:*:*:*:*:*:*
netapp fas2750_firmware cpe:2.3:o:netapp:fas2750_firmware:-:*:*:*:*:*:*:*
netapp fas2820_firmware cpe:2.3:o:netapp:fas2820_firmware:-:*:*:*:*:*:*:*
netapp a300_firmware cpe:2.3:o:netapp:a300_firmware:-:*:*:*:*:*:*:*
netapp 8200_firmware cpe:2.3:o:netapp:8200_firmware:-:*:*:*:*:*:*:*
netapp a700_firmware cpe:2.3:o:netapp:a700_firmware:-:*:*:*:*:*:*:*
netapp 9000_firmware cpe:2.3:o:netapp:9000_firmware:-:*:*:*:*:*:*:*
netapp h610c_firmware cpe:2.3:o:netapp:h610c_firmware:-:*:*:*:*:*:*:*
netapp h610s_firmware cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:*
netapp h615c_firmware cpe:2.3:o:netapp:h615c_firmware:-:*:*:*:*:*:*:*
netapp e-series_santricity_os_controller >= 11.0.0, <= 11.70.2 cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*

References for CVE-2024-26733

cvelogic Threat Intelligence