{"api_version":"1","generated_at":"2026-05-13T07:40:30+00:00","cve":"CVE-2024-44987","urls":{"html":"https://cve.report/CVE-2024-44987","api":"https://cve.report/api/cve/CVE-2024-44987.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-44987","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-44987"},"summary":{"title":"ipv6: prevent UAF in ip6_send_skb()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent UAF in ip6_send_skb()\n\nsyzbot reported an UAF in ip6_send_skb() [1]\n\nAfter ip6_local_out() has returned, we no longer can safely\ndereference rt, unless we hold rcu_read_lock().\n\nA similar issue has been fixed in commit\na688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\")\n\nAnother potential issue in ip6_finish_output2() is handled in a\nseparate patch.\n\n[1]\n BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\nRead of size 8 at addr ffff88806dde4858 by task syz.1.380/6530\n\nCPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\n  rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588\n  rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  sock_write_iter+0x2dd/0x400 net/socket.c:1160\n do_iter_readv_writev+0x60a/0x890\n  vfs_writev+0x37c/0xbb0 fs/read_write.c:971\n  do_writev+0x1b1/0x350 fs/read_write.c:1018\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f936bf79e79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79\nRDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004\nRBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8\n </TASK>\n\nAllocated by task 6530:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:312 [inline]\n  __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3988 [inline]\n  slab_alloc_node mm/slub.c:4037 [inline]\n  kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044\n  dst_alloc+0x12b/0x190 net/core/dst.c:89\n  ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670\n  make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]\n  xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313\n  ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257\n  rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 45:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n  poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n  __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2252 [inline]\n  slab_free mm/slub.c:4473 [inline]\n  kmem_cache_free+0x145/0x350 mm/slub.c:4548\n  dst_destroy+0x2ac/0x460 net/core/dst.c:124\n  rcu_do_batch kernel/rcu/tree.c:2569 [inline]\n  rcu_core+0xafd/0x1830 kernel/rcu/tree.\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2024-09-04 20:15:07","updated_at":"2026-05-12 12:17:09"},"problem_types":["CWE-416"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25","name":"https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e","name":"https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011","name":"https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8","name":"https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3","name":"https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429","name":"https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2","name":"https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html","name":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a","name":"https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","name":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-44987","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44987","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e 571567e0277008459750f0728f246086b2659429 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e 24e93695b1239fbe4c31e224372be77f82dab69a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e 9a3e55afa95ed4ac9eda112d4f918af645d72f25 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e e44bd76dd072756e674f45c5be00153f4ded68b2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0625491493d9000e4556bf566d205c28c8e7dc4e faa389b2fbaaec7fd27a390b4896139f9da662e3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.32","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.32 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.321 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.283 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.225 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.166 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.107 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.48 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10.7 6.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V3.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","version":"unaffected * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","version":"affected V3.1 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"44987","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-44987","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-09-04T20:20:00.407827Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-09-04T20:21:05.118Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T22:14:37.598Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V3.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","vendor":"Siemens","versions":[{"lessThan":"*","status":"unaffected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","vendor":"Siemens","versions":[{"lessThan":"V3.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:57:25.163Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-613116.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/ipv6/ip6_output.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"571567e0277008459750f0728f246086b2659429","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"24e93695b1239fbe4c31e224372be77f82dab69a","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"9a3e55afa95ed4ac9eda112d4f918af645d72f25","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"e44bd76dd072756e674f45c5be00153f4ded68b2","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"},{"lessThan":"faa389b2fbaaec7fd27a390b4896139f9da662e3","status":"affected","version":"0625491493d9000e4556bf566d205c28c8e7dc4e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/ipv6/ip6_output.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.32"},{"lessThan":"2.6.32","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.321","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.283","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.225","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.166","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.107","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.48","versionType":"semver"},{"lessThanOrEqual":"6.10.*","status":"unaffected","version":"6.10.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.11","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.321","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.283","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.225","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.166","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.107","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.48","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.10.7","versionStartIncluding":"2.6.32","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.11","versionStartIncluding":"2.6.32","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent UAF in ip6_send_skb()\n\nsyzbot reported an UAF in ip6_send_skb() [1]\n\nAfter ip6_local_out() has returned, we no longer can safely\ndereference rt, unless we hold rcu_read_lock().\n\nA similar issue has been fixed in commit\na688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\")\n\nAnother potential issue in ip6_finish_output2() is handled in a\nseparate patch.\n\n[1]\n BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\nRead of size 8 at addr ffff88806dde4858 by task syz.1.380/6530\n\nCPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\n  rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588\n  rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  sock_write_iter+0x2dd/0x400 net/socket.c:1160\n do_iter_readv_writev+0x60a/0x890\n  vfs_writev+0x37c/0xbb0 fs/read_write.c:971\n  do_writev+0x1b1/0x350 fs/read_write.c:1018\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f936bf79e79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79\nRDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004\nRBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8\n </TASK>\n\nAllocated by task 6530:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:312 [inline]\n  __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3988 [inline]\n  slab_alloc_node mm/slub.c:4037 [inline]\n  kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044\n  dst_alloc+0x12b/0x190 net/core/dst.c:89\n  ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670\n  make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]\n  xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313\n  ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257\n  rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 45:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n  poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n  __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2252 [inline]\n  slab_free mm/slub.c:4473 [inline]\n  kmem_cache_free+0x145/0x350 mm/slub.c:4548\n  dst_destroy+0x2ac/0x460 net/core/dst.c:124\n  rcu_do_batch kernel/rcu/tree.c:2569 [inline]\n  rcu_core+0xafd/0x1830 kernel/rcu/tree.\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:33:16.459Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429"},{"url":"https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8"},{"url":"https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e"},{"url":"https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a"},{"url":"https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25"},{"url":"https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011"},{"url":"https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2"},{"url":"https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3"}],"title":"ipv6: prevent UAF in ip6_send_skb()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-44987","datePublished":"2024-09-04T19:54:35.510Z","dateReserved":"2024-08-21T05:34:56.671Z","dateUpdated":"2026-05-12T11:57:25.163Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-09-04 20:15:07","lastModifiedDate":"2026-05-12 12:17:09","problem_types":["CWE-416"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"4.19.321","matchCriteriaId":"9ADDB000-FDCD-401B-AD98-165AB6788080"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.283","matchCriteriaId":"8E6B390A-0CE6-44FC-8CD5-BE8226D6D24C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.225","matchCriteriaId":"C57B46A9-B105-4792-8481-1870DEFB436A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.166","matchCriteriaId":"913ED6CD-8ACF-48AF-AA18-7880881DD402"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.107","matchCriteriaId":"53954FF8-CB48-4302-BC4C-9DA7A88F44A2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.48","matchCriteriaId":"9DE9201A-CE6B-4726-BABB-8265EA0F8AE4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.7","matchCriteriaId":"D2AFDFD1-D95A-4EB7-843B-5E7659518B67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*","matchCriteriaId":"8B3CE743-2126-47A3-8B7C-822B502CF119"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*","matchCriteriaId":"4DEB27E7-30AA-45CC-8934-B89263EF3551"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*","matchCriteriaId":"E0005AEF-856E-47EB-BFE4-90C46899394D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*","matchCriteriaId":"39889A68-6D34-47A6-82FC-CD0BF23D6754"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"44987","Ordinal":"1","Title":"ipv6: prevent UAF in ip6_send_skb()","CVE":"CVE-2024-44987","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"44987","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent UAF in ip6_send_skb()\n\nsyzbot reported an UAF in ip6_send_skb() [1]\n\nAfter ip6_local_out() has returned, we no longer can safely\ndereference rt, unless we hold rcu_read_lock().\n\nA similar issue has been fixed in commit\na688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\")\n\nAnother potential issue in ip6_finish_output2() is handled in a\nseparate patch.\n\n[1]\n BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\nRead of size 8 at addr ffff88806dde4858 by task syz.1.380/6530\n\nCPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\n  rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588\n  rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  sock_write_iter+0x2dd/0x400 net/socket.c:1160\n do_iter_readv_writev+0x60a/0x890\n  vfs_writev+0x37c/0xbb0 fs/read_write.c:971\n  do_writev+0x1b1/0x350 fs/read_write.c:1018\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f936bf79e79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79\nRDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004\nRBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8\n </TASK>\n\nAllocated by task 6530:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:312 [inline]\n  __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3988 [inline]\n  slab_alloc_node mm/slub.c:4037 [inline]\n  kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044\n  dst_alloc+0x12b/0x190 net/core/dst.c:89\n  ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670\n  make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]\n  xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313\n  ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257\n  rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 45:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n  poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n  __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2252 [inline]\n  slab_free mm/slub.c:4473 [inline]\n  kmem_cache_free+0x145/0x350 mm/slub.c:4548\n  dst_destroy+0x2ac/0x460 net/core/dst.c:124\n  rcu_do_batch kernel/rcu/tree.c:2569 [inline]\n  rcu_core+0xafd/0x1830 kernel/rcu/tree.\n---truncated---","Type":"Description","Title":"ipv6: prevent UAF in ip6_send_skb()"}]}}}