Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-40957

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
12/07/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors<br /> <br /> input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for<br /> PREROUTING hook, in PREROUTING hook, we should passing a valid indev,<br /> and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer<br /> dereference, as below:<br /> <br /> [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090<br /> [74830.655633] #PF: supervisor read access in kernel mode<br /> [74830.657888] #PF: error_code(0x0000) - not-present page<br /> [74830.659500] PGD 0 P4D 0<br /> [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI<br /> ...<br /> [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011<br /> [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]<br /> ...<br /> [74830.689725] Call Trace:<br /> [74830.690402] <br /> [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df<br /> [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df<br /> [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]<br /> [74830.694275] ? __die_body.cold+0x8/0xd<br /> [74830.695205] ? page_fault_oops+0xac/0x140<br /> [74830.696244] ? exc_page_fault+0x62/0x150<br /> [74830.697225] ? asm_exc_page_fault+0x22/0x30<br /> [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]<br /> [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]<br /> [74830.700758] ? ip6_route_input+0x19d/0x240<br /> [74830.701752] nf_hook_slow+0x3f/0xb0<br /> [74830.702678] input_action_end_dx4+0x19b/0x1e0<br /> [74830.703735] ? input_action_end_t+0xe0/0xe0<br /> [74830.704734] seg6_local_input_core+0x2d/0x60<br /> [74830.705782] lwtunnel_input+0x5b/0xb0<br /> [74830.706690] __netif_receive_skb_one_core+0x63/0xa0<br /> [74830.707825] process_backlog+0x99/0x140<br /> [74830.709538] __napi_poll+0x2c/0x160<br /> [74830.710673] net_rx_action+0x296/0x350<br /> [74830.711860] __do_softirq+0xcb/0x2ac<br /> [74830.713049] do_softirq+0x63/0x90<br /> <br /> input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally<br /> trigger a NULL dereference in rpfilter_mt()-&gt;rpfilter_is_loopback():<br /> <br /> static bool<br /> rpfilter_is_loopback(const struct sk_buff *skb,<br /> const struct net_device *in)<br /> {<br /> // in is NULL<br /> return skb-&gt;pkt_type == PACKET_LOOPBACK ||<br /> in-&gt;flags &amp; IFF_LOOPBACK;<br /> }

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15 (including) 5.15.162 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.96 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.36 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools