PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-26596 Linux CVE debrief

CVE-2024-26596 is a Linux kernel availability issue in DSA netdevice event handling. The vulnerability was published on 2024-02-23 and describes a case where code dereferenced netdev_priv() before confirming the device was actually a DSA user device. On netdevices with zero private data size, such as the dummy interface, this can produce an out-of-bounds read and a kernel oops during NETDEV_PRECHANGEUPPER or NETDEV_CHANGEUPPER handling. The supplied description shows a KASAN slab-out-of-bounds crash path involving dummy and VLAN interfaces, and the fix is to perform the type check before dereferencing.

Vendor
Linux
Product
CVE-2024-26596
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-02-23
Original CVE updated
2026-05-12
Advisory published
2024-02-23
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernels, especially systems that use DSA and may allow local users to create or modify network interfaces.

Technical summary

The bug is in dsa_user_prechangeupper and related DSA netdevice event paths. A helper called netdev_priv(dev) too early, before verifying the net_device was of the expected DSA user type. That is unsafe because not all net_devices have private storage compatible with struct dsa_user_priv. In the described case, the dummy interface has zero private size, so the early dereference becomes an invalid read and can trigger a KASAN-reported slab-out-of-bounds crash. The issue affects Linux kernel versions listed by NVD as 6.1.0 through before 6.7.2.

Defensive priority

Medium. The impact is local and availability-focused, but the bug can crash affected kernels and is tied to network interface event handling, so patched kernels should be prioritized where local users can interact with networking.

Recommended defensive actions

  • Upgrade to a kernel release that includes the upstream fix referenced by the kernel stable links.
  • If you maintain downstream kernels, verify the DSA netdevice event handling backport is present in your branch.
  • Treat systems running Linux kernel 6.1.0 through before 6.7.2, as listed by NVD, as potentially affected until patched.
  • Review local interface-management permissions on exposed systems, since the issue is triggerable through local network link operations.
  • Monitor for unexpected kernel oops or KASAN reports involving dsa_user_prechangeupper or NETDEV_PRECHANGEUPPER events.

Evidence notes

The CVE record and NVD detail identify the issue as a Linux kernel DSA netdevice event bug with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and an affected range of Linux kernel 6.1.0 through before 6.7.2. The CVE description itself explains the unsafe netdev_priv() dereference before a type check, and shows a KASAN slab-out-of-bounds crash path when a dummy interface participates in VLAN upper-device linking. Kernel git.kernel.org stable links in the supplied references point to the fix and related source/patch entries. Debian LTS and Siemens references indicate downstream tracking, but the core evidence for this debrief is the CVE text plus the official NVD and kernel links.

Official resources

CVE published 2024-02-23 and last modified by NVD on 2026-05-12. The supplied CVE description includes an example KASAN crash path and points to kernel stable references for the fix; no exploit code is included here.