Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-47685

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/10/2024
Last modified:
18/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()<br /> <br /> syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending<br /> garbage on the four reserved tcp bits (th-&gt;res1)<br /> <br /> Use skb_put_zero() to clear the whole TCP header,<br /> as done in nf_reject_ip_tcphdr_put()<br /> <br /> BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255<br /> nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255<br /> nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344<br /> nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48<br /> expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]<br /> nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288<br /> nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161<br /> nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]<br /> nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626<br /> nf_hook include/linux/netfilter.h:269 [inline]<br /> NF_HOOK include/linux/netfilter.h:312 [inline]<br /> ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310<br /> __netif_receive_skb_one_core net/core/dev.c:5661 [inline]<br /> __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775<br /> process_backlog+0x4ad/0xa50 net/core/dev.c:6108<br /> __napi_poll+0xe7/0x980 net/core/dev.c:6772<br /> napi_poll net/core/dev.c:6841 [inline]<br /> net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963<br /> handle_softirqs+0x1ce/0x800 kernel/softirq.c:554<br /> __do_softirq+0x14/0x1a kernel/softirq.c:588<br /> do_softirq+0x9a/0x100 kernel/softirq.c:455<br /> __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382<br /> local_bh_enable include/linux/bottom_half.h:33 [inline]<br /> rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]<br /> __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450<br /> dev_queue_xmit include/linux/netdevice.h:3105 [inline]<br /> neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565<br /> neigh_output include/net/neighbour.h:542 [inline]<br /> ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141<br /> __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]<br /> ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226<br /> NF_HOOK_COND include/linux/netfilter.h:303 [inline]<br /> ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247<br /> dst_output include/net/dst.h:450 [inline]<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366<br /> inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135<br /> __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466<br /> tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]<br /> tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143<br /> tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333<br /> __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679<br /> inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750<br /> __sys_connect_file net/socket.c:2061 [inline]<br /> __sys_connect+0x606/0x690 net/socket.c:2078<br /> __do_sys_connect net/socket.c:2088 [inline]<br /> __se_sys_connect net/socket.c:2085 [inline]<br /> __x64_sys_connect+0x91/0xe0 net/socket.c:2085<br /> x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was stored to memory at:<br /> nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249<br /> nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344<br /> nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48<br /> expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]<br /> nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288<br /> nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161<br /> nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]<br /> nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626<br /> nf_hook include/linux/netfilter.h:269 [inline]<br /> NF_HOOK include/linux/netfilter.h:312 [inline]<br /> ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310<br /> __netif_receive_skb_one_core<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 9.10 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
9.10
Severity 3.x
CRITICAL

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.18 (including) 4.19.323 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.285 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.227 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.168 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.113 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.54 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.11.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools