CVE-2024-26852: net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

Published Apr 17, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: avoid possible UAF in ip6routempathnotify()

syzbot found another use-after-free in ip6routempathnotify() [1]

Commit f7225172f25a ("net/ipv6: prevent use after free in ip6routempathnotify") was not able to fix the root cause.

We need to defer the fib6inforelease() calls after ip6routempathnotify(), in the cleanup phase.

[1] BUG: KASAN: slab-use-after-free in rt6fillnode+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037

CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2e0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x167/0x540 mm/kasan/report.c:488 kasanreport+0x142/0x180 mm/kasan/report.c:601 rt6fillnode+0x1460/0x1ac0 inet6rtnotify+0x13b/0x290 net/ipv6/route.c:6184 ip6routempathnotify net/ipv6/route.c:5198 [inline] ip6routemultipathadd net/ipv6/route.c:5404 [inline] inet6rtmnewroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlinkrcvmsg+0x885/0x1040 net/core/rtnetlink.c:6597 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 syssendmsg net/socket.c:2638 [inline] syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858

Allocated by task 23037: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:372 [inline] kasankmalloc+0x98/0xb0 mm/kasan/common.c:389 kasankmalloc include/linux/kasan.h:211 [inline] dokmallocnode mm/slub.c:3981 [inline] kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6infoalloc+0x2e/0xf0 net/ipv6/ip6fib.c:155 ip6routeinfocreate+0x445/0x12b0 net/ipv6/route.c:3758 ip6routemultipathadd net/ipv6/route.c:5298 [inline] inet6rtmnewroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlinkrcvmsg+0x885/0x1040 net/core/rtnetlink.c:6597 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 syssendmsg net/socket.c:2638 [inline] syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77

Freed by task 16: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x4e/0x60 mm/kasan/generic.c:640 poisonslabobject+0xa6/0xe0 m ---truncated---

Other sources

In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: avoid possible UAF in ip6routempathnotify()

syzbot found another use-after-free in ip6routempathnotify() [1]

Commit f7225172f25a ("net/ipv6: prevent use after free in ip6routempathnotify") was not able to fix the root cause.

We need to defer the fib6inforelease() calls after ip6routempathnotify(), in the cleanup phase.

[1] BUG: KASAN: slab-use-after-free in rt6fillnode+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037

CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2e0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x167/0x540 mm/kasan/report.c:488 kasanreport+0x142/0x180 mm/kasan/report.c:601 rt6fillnode+0x1460/0x1ac0 inet6rtnotify+0x13b/0x290 net/ipv6/route.c:6184 ip6routempathnotify net/ipv6/route.c:5198 [inline] ip6routemultipathadd net/ipv6/route.c:5404 [inline] inet6rtmnewroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlinkrcvmsg+0x885/0x1040 net/core/rtnetlink.c:6597 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 syssendmsg net/socket.c:2638 [inline] syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK>

Allocated by task 23037: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:372 [inline] kasankmalloc+0x98/0xb0 mm/kasan/common.c:389 kasankmalloc include/linux/kasan.h:211 [inline] dokmallocnode mm/slub.c:3981 [inline] kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6infoalloc+0x2e/0xf0 net/ipv6/ip6fib.c:155 ip6routeinfocreate+0x445/0x12b0 net/ipv6/route.c:3758 ip6routemultipathadd net/ipv6/route.c:5298 [inline] inet6rtmnewroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlinkrcvmsg+0x885/0x1040 net/core/rtnetlink.c:6597 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 syssendmsg net/socket.c:2638 [inline] syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77

Freed by task 16: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x4e/0x60 mm/kasan/generic.c:640 poisonslabobject+0xa6/0xe0 m ---truncated---

NVD

In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: avoid possible UAF in ip6routempathnotify()

The Linux kernel CVE team has assigned CVE-2024-26852 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041723-CVE-2024-26852-0057@gregkh/T

Red Hat

Affected Software

27 affected componentsFixes available
redhat/kernel<4.19.310
4.19.310
redhat/kernel<5.4.272
5.4.272
redhat/kernel<5.10.213
5.10.213
redhat/kernel<5.15.152
5.15.152
redhat/kernel<6.1.82
6.1.82
redhat/kernel<6.6.22
6.6.22
redhat/kernel<6.7.10
6.7.10
redhat/kernel<6.8
6.8
Linux Linux kernel>=4.11<4.19.310
Linux Linux kernel>=4.20<5.4.272
Linux Linux kernel>=5.5<5.10.213
Linux Linux kernel>=5.11<5.15.152
Linux Linux kernel>=5.16<6.1.82
Linux Linux kernel>=6.2<6.6.22
Linux Linux kernel>=6.7<6.7.10
Linux Linux kernel=6.8-rc1
Linux Linux kernel=6.8-rc2
Linux Linux kernel=6.8-rc3
Linux Linux kernel=6.8-rc4
Linux Linux kernel=6.8-rc5
Linux Linux kernel=6.8-rc6
Debian Debian Linux=10.0
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1

Remediation

Patch Available

https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136

Patch Available

https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18

Patch Available

https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda

Patch Available

https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e

Patch Available

https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab

Patch Available

https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe

Patch Available

https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24

Patch Available

https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a

Event History

Apr 17, 2024
CVE Published
via MITRE·10:17 AM
Data Sourced
via MITRE·10:17 AM
Description
Data Sourced
via NVD·11:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·07:46 PM
DescriptionSeverityAffected Software
Jun 8, 2024
Data Sourced
via Launchpad·01:07 AM
Description
Apr 28, 2025
Data Sourced
via Ubuntu·02:20 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-26852?

CVE-2024-26852 is classified as a high severity vulnerability due to its potential for causing use-after-free conditions in networking functionality.

2

How do I fix CVE-2024-26852?

To mitigate CVE-2024-26852, upgrade to the latest kernel version specified as remedies in the affected software list.

3

What systems are affected by CVE-2024-26852?

CVE-2024-26852 affects multiple versions of the Linux kernel across different distributions, including Red Hat and Debian.

4

Can CVE-2024-26852 be exploited remotely?

Yes, CVE-2024-26852 potentially allows for remote exploitation due to its impact on network-related components in the kernel.

5

What are the indications of being affected by CVE-2024-26852?

Systems affected by CVE-2024-26852 may experience unexpected behavior related to network operations or crash of network services.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203