CVE-2019-20422 in Linux
Summary
by MITRE
In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib.c mishandles the RT6_LOOKUP_F_DST_NOREF flag in a reference-count decision, leading to (for example) a crash that was identified by syzkaller, aka CID-7b09c2d052db.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/18/2025
The vulnerability identified as CVE-2019-20422 represents a critical race condition and reference counting error within the Linux kernel's IPv6 forwarding table implementation. This flaw exists in the fib6_rule_lookup function located in net/ipv6/ip6_fib.c and affects kernel versions prior to 5.3.4. The issue manifests when the RT6_LOOKUP_F_DST_NOREF flag is improperly handled during reference count decisions, creating a scenario where kernel memory management becomes inconsistent and potentially leads to system crashes.
The technical root cause stems from how the kernel processes IPv6 routing table lookups when the RT6_LOOKUP_F_DST_NOREF flag is present. This flag indicates that the destination reference should not be incremented, which is typically used in specific lookup contexts where the caller already holds a reference to the destination or where reference counting is not required. However, the implementation fails to properly account for this flag during the reference counting decision process, leading to situations where the kernel incorrectly manages reference counts on routing table entries. When syzkaller, an automated fuzzer, triggers this condition, it demonstrates how the improper handling can result in memory corruption and subsequent system crashes.
The operational impact of this vulnerability is significant as it can lead to denial of service conditions where the kernel becomes unstable and crashes under specific network traffic conditions. Attackers who can influence IPv6 routing table lookups or trigger specific network scenarios may exploit this vulnerability to cause system panics or reboot cycles. The vulnerability is particularly concerning because it operates at the kernel level where such faults can compromise the entire system stability. According to CWE classification, this maps to CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization, and aligns with ATT&CK technique T1063: Security Software Discovery, as the exploitation may require understanding of kernel memory structures and reference counting mechanisms.
Mitigation strategies for CVE-2019-20422 primarily involve upgrading to Linux kernel version 5.3.4 or later where the fix has been implemented. The kernel developers addressed this issue by correcting the reference counting logic to properly handle the RT6_LOOKUP_F_DST_NOREF flag during lookup operations. Organizations should also consider implementing network segmentation and monitoring to detect unusual IPv6 traffic patterns that might indicate exploitation attempts. Additionally, kernel hardening techniques such as KASLR, SMEP, and SMAP should be enabled to provide additional protection layers against potential exploitation of similar kernel vulnerabilities. The fix demonstrates proper synchronization mechanisms and ensures that reference counting decisions respect the intended flag semantics, preventing the race conditions that lead to memory corruption and system instability.