net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2024-26852
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2024-04-17 11:15:08 UTC
Updated2026-05-12 12:16:21 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated---

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from ADP

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types: CWE-416 | CWE-416 CWE-416 Use After Free

VersionSourceTypeScoreSeverityVector
3.1ADPDECLARED7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1134c704f-9b21-4f2e-91b3-4a467353bcc0Secondary7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a 31ea5bcc7d4cd1423de6be327a2c034725704136 git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a 664f9c647260cc9d68b4e31d9899530d89dd045e git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a 79ce2e54cc0ae366f45516c00bf1b19aa43e9abe git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a cae3303257950d03ffec2df4a45e836f10d26c24 git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a 394334fe2ae3b9f1e2332b873857e84cb28aac18 git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a ed883060c38721ed828061f6c0c30e5147326c9a git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a 61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda git Not specified
CNA Linux Linux affected 3b1137fe74829e021f483756a648cbb87c8a1b4a 685f7d531264599b3f167f1e94bbd22f120e5fab git Not specified
CNA Linux Linux affected 4.11 Not specified
CNA Linux Linux unaffected 4.11 semver Not specified
CNA Linux Linux unaffected 4.19.310 4.19.* semver Not specified
CNA Linux Linux unaffected 5.4.272 5.4.* semver Not specified
CNA Linux Linux unaffected 5.10.213 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.152 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.82 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.22 6.6.* semver Not specified
CNA Linux Linux unaffected 6.7.10 6.7.* semver Not specified
CNA Linux Linux unaffected 6.8 * original_commit_for_fix Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 31ea5bcc7d4c custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 664f9c647260 custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 79ce2e54cc0a custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 cae330325795 custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 394334fe2ae3 custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 ed883060c387 custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 61b34f73cdbd custom Not specified
ADP Linux Linux Kernel affected 3b1137fe7482 685f7d531264 custom Not specified
ADP Linux Linux Kernel affected 4.11 Not specified
ADP Linux Linux Kernel unaffected 4.11 custom Not specified
ADP Linux Linux Kernel unaffected 4.19.310 4.20 custom Not specified
ADP Linux Linux Kernel unaffected 5.4.272 5.5 custom Not specified
ADP Linux Linux Kernel unaffected 5.10.213 5.11 custom Not specified
ADP Linux Linux Kernel unaffected 5.15.152 5.16 custom Not specified
ADP Linux Linux Kernel unaffected 6.1.82 6.2 custom Not specified
ADP Linux Linux Kernel unaffected 6.6.22 6.7 custom Not specified
ADP Linux Linux Kernel unaffected 6.7.10 6.8 custom Not specified
ADP Linux Linux Kernel unaffected 6.8 * custom Not specified
ADP Siemens SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem affected * custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2024/06/msg00017.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Mailing List, Third Party Advisory
git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-265688.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2024/06/msg00020.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Mailing List, Third Party Advisory
git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report