CVE-2024-36901 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent NULL dereference in ip6_output()

According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here.

syzbot reported:

general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline]
sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline]
__sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline]
__se_sys_connect net/socket.c:2072 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 12/04/2025

The vulnerability identified as CVE-2024-36901 represents a critical null pointer dereference in the Linux kernel's IPv6 output handling mechanism, specifically within the ip6_output function. This flaw arises when the ip6_dst_idev() helper function returns a NULL value, which is not properly handled in the ip6_output path despite being gracefully managed elsewhere in the IPv6 subsystem. The issue manifests as a general protection fault during kernel execution, indicating a serious system stability concern that could lead to system crashes or potential exploitation scenarios.

The technical root cause stems from a missing NULL check in the IPv6 output path where the kernel attempts to dereference a pointer that may be uninitialized or invalid. According to syzbot analysis, this occurs during network packet transmission operations involving SCTP protocol handling, specifically when processing association requests through the sctp_connect function chain. The crash trace shows the execution flow progressing through multiple kernel network layers including SCTP packet transmission, output queue management, and socket connection handling before ultimately failing in ip6_output at line 237 of net/ipv6/ip6_output.c. This pattern suggests the vulnerability is triggered during network communication establishment when the kernel's IPv6 routing infrastructure fails to properly initialize or validate interface device pointers.

The operational impact of this vulnerability extends beyond simple system instability, as it represents a potential denial-of-service condition that could be exploited by remote attackers to crash kernel subsystems or potentially escalate privileges. The presence of KASAN (Kernel Address Sanitizer) reporting indicates this is a well-documented kernel memory safety issue that could be leveraged to bypass kernel protections or create conditions for further exploitation. This vulnerability aligns with CWE-476, which describes NULL pointer dereference conditions in kernel code, and could potentially map to ATT&CK technique T1068, which involves exploiting local privilege escalation opportunities through kernel vulnerabilities.

Mitigation strategies should include immediate kernel updates to versions containing the patched ip6_output function with proper NULL pointer validation, along with network monitoring to detect potential exploitation attempts. System administrators should prioritize patching affected kernel versions, particularly those running IPv6 network services or systems handling SCTP traffic. Additional defensive measures include implementing network segmentation to limit exposure, monitoring for unusual network connection patterns, and maintaining up-to-date security patches across all kernel components. The fix typically involves adding explicit NULL checks before dereferencing pointers returned by ip6_dst_idev() to ensure proper error handling throughout the IPv6 output pipeline.

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00262

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!