VYPR
← All advisories
High severity7.1NVD Advisory· Published Oct 21, 2024· Updated May 12, 2026

CVE-2024-50035

CVE-2024-50035

Description

In the Linux kernel, the following vulnerability has been resolved:

ppp: fix ppp_async_encode() illegal access

syzbot reported an issue in ppp_async_encode() [1]

In this case, pppoe_sendmsg() is called with a zero size. Then ppp_async_encode() is called with an empty skb.

BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline] ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at: slab_post_alloc_hook mm/slub.c:4092 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-50035 is an uninitialized memory access vulnerability in the Linux kernel's PPP async driver, exploitable by sending a zero-length packet via pppoe_sendmsg().

Vulnerability

Overview

CVE-2024-50035 is a vulnerability in the Linux kernel's PPP (Point-to-Point Protocol) subsystem, specifically in the ppp_async_encode() function within the PPP async driver. The issue arises when pppoe_sendmsg() is called with a zero-sized message, resulting in an empty skb (socket buffer). This empty buffer is then passed to ppp_async_encode(), which attempts to access uninitialized memory, leading to an "uninit-value" error detected by KMSAN (Kernel Memory Sanitizer) [1]. The root cause is improper input validation in the PPP over Ethernet (PPPoE) layer, where a zero-length packet is not rejected and is forwarded to the async encoding routine without appropriate checks.

Attack

Vector and Requirements

To trigger this vulnerability, a local attacker must have the ability to send a crafted PPPoE frame with a zero payload size via the pppoe_sendmsg() system call. This requires the attacker to have local access to the system and the ability to create a PPPoE socket and send a message with a length of zero. No special privileges beyond the ability to create network sockets are needed, making it accessible to unprivileged local users on systems where PPPoE interfaces are configured. The attack surface is limited to systems using the PPP async driver, typically in point-to-point serial or PPPoE configurations [2].

Impact

Successful exploitation could lead to reading uninitialized kernel memory, which may expose sensitive information such as kernel pointers or data from other processes. While the direct impact is information disclosure, the vulnerability could also potentially be used to destabilize the system, as the uninitialized memory access might cause crashes or unpredictable behavior. The CVSS v3 base score of 7.1 (High) reflects the potential for high confidentiality impact due to memory disclosure, with low attack complexity and no required privileges beyond local access [1].

Mitigation

The Linux kernel community has addressed this vulnerability in stable kernel updates, as indicated by commits referenced in the official fix [3][4]. Administrators should apply the latest kernel updates from their distribution or compile a patched kernel containing the fix. For users of affected Siemens industrial products that incorporate the Linux kernel, such as the SIMATIC S7-1500 TM MFP - GNU/Linux subsystem, Siemens has released a security advisory (SSA-265688) listing CVE-2024-50035 among other vulnerabilities that require firmware updates [2].

References
  1. SSA-355557
  2. SSA-265688
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

113

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

0

No linked articles in our index yet.