CVE-2024-35857 in Linux
Summary
by MITRE • 05/17/2024
In the Linux kernel, the following vulnerability has been resolved:
icmp: prevent possible NULL dereferences from icmp_build_probe()
First problem is a double call to __in_dev_get_rcu(), because the second one could return NULL.
if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)
Second problem is a read from dev->ip6_ptr with no NULL check:
if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))
Use the correct RCU API to fix these.
v2: add missing include
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability CVE-2024-35857 represents a critical NULL dereference issue within the Linux kernel's ICMP implementation that could lead to system instability or potential privilege escalation. This flaw exists in the icmp_build_probe() function which handles ICMP probe operations, specifically affecting the kernel's handling of network interface information during ICMP packet processing. The vulnerability stems from improper NULL pointer validation in the kernel's network stack implementation, creating opportunities for denial of service conditions or arbitrary code execution under specific circumstances.
The technical root cause involves two distinct but related issues in the ICMP processing code path. The primary problem manifests as a double invocation of the __in_dev_get_rcu() function without proper NULL handling between calls, where the second invocation may return NULL while the first call succeeded. This creates a race condition scenario where the code assumes the network interface information remains valid across multiple RCU (Read-Copy-Update) accesses. The second issue occurs when the code attempts to dereference dev->ip6_ptr without verifying whether this pointer is NULL, directly accessing memory locations that may have been freed or never initialized, leading to immediate system crashes or undefined behavior.
This vulnerability directly maps to CWE-476 which describes NULL Pointer Dereference, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution. The operational impact of this vulnerability is significant as it can be triggered through network-based ICMP packet processing, potentially allowing remote attackers to cause system crashes or denial of service conditions. The flaw affects any Linux system running a kernel version containing the vulnerable code path, particularly systems that process ICMP traffic or utilize network interface management functions. The race condition aspect of the vulnerability makes it particularly dangerous as it could be exploited in high-traffic network environments where timing conditions favor malicious exploitation.
The fix implemented addresses both NULL pointer dereference scenarios by properly implementing the correct RCU API patterns and adding necessary NULL checks before memory access operations. The solution requires careful synchronization using appropriate RCU read locks and explicit NULL validation before accessing network interface structures. System administrators should prioritize updating to kernel versions containing the patched code, as the vulnerability can be exploited remotely through ICMP packet processing without requiring authentication or special privileges. Organizations should also implement network segmentation and ICMP filtering as additional defensive measures, particularly in environments where untrusted network traffic is present. The fix demonstrates proper kernel security practices by ensuring robust error handling and memory safety in network subsystem operations, aligning with industry standards for secure kernel development and maintenance.