CVE-2024-26863 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use HSR/PRP networking should care most. The NVD record marks multiple kernel release lines as affected, so administrators of maintained and long-term-support kernels should verify whether their builds include the fix.

Technical summary

The issue is in net/hsr/hsr_framereg.c: hsr_get_node() could access an uninitialized value when the Ethernet type indicates ETH_P_PRP or ETH_P_HSR but the frame is not actually followed by an HSR tag. In that case, hsr_get_skb_sequence_nr() can read an invalid sequence number, which KMSAN reported as an uninit-value access. The described fix is to return NULL when the Ethernet header is not followed by an HSR tag, preventing the invalid read from propagating into node lookup and forwarding logic.

Defensive priority

Medium-to-high for environments that enable HSR/PRP or otherwise process this kernel path, because the impact is kernel availability loss and the CVSS vector indicates low-privilege, no-interaction reachability. Prioritize patching on exposed or operationally important Linux systems, especially those in affected kernel version ranges.

Recommended defensive actions

• Confirm whether any Linux systems in your fleet run affected kernel branches listed by NVD.
• Apply the kernel updates or stable patches referenced in the NVD record and vendor notices.
• If you maintain custom kernels, backport the HSR fix that returns NULL when the Ethernet header is not followed by an HSR tag.
• Prioritize hosts that use HSR/PRP networking or have network paths that exercise the hsr_forward/hsr_get_node code paths.
• Verify remediation by checking the running kernel version against the affected ranges in the NVD CPE criteria and by validating the presence of the relevant upstream/stable fix.

Evidence notes

This debrief is based on the supplied CVE/NVD corpus and the official linked records. The CVE was published on 2024-04-17 and later modified in NVD on 2026-05-12; that modified timestamp is not treated as the issue date. The supplied description identifies the trigger condition as ETH_P_PRP or ETH_P_HSR without a following HSR tag, and the NVD metadata includes multiple stable patch links plus Debian LTS mailing-list references. NVD assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-908.

Official resources