CVE-2024-26852: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated---
AI Analysis
Technical Summary
CVE-2024-26852 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's IPv6 networking stack, specifically within the function ip6_route_mpath_notify(). This vulnerability was identified by syzbot, an automated kernel fuzzer, which detected that the kernel could access memory after it had been freed, leading to undefined behavior and potential exploitation. The root cause involves improper handling of the fib6_info_release() calls, which are responsible for releasing routing information structures related to IPv6 multipath routing. The initial patch (commit f7225172f25a) attempted to fix the issue but did not address the underlying problem, necessitating deferring the release calls until after ip6_route_mpath_notify() completes its cleanup phase. The vulnerability manifests as a use-after-free condition where the kernel attempts to read memory that has already been freed, as evidenced by the KASAN (Kernel Address Sanitizer) report showing slab-use-after-free in rt6_fill_node. This flaw affects the Linux kernel version 6.8.0-rc4 and likely other versions around this release. Exploiting this vulnerability requires local privileges (low privilege required) and no user interaction, but the attacker must have the ability to send netlink messages to the kernel to trigger the vulnerable code path. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the affected system, including kernel crashes, arbitrary code execution in kernel space, or privilege escalation. The vulnerability is categorized under CWE-416 (Use After Free), a critical class of memory safety errors. The CVSS v3.1 score is 7.8 (high), reflecting the local attack vector, low attack complexity, required privileges, and the high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability's nature and impact warrant immediate attention and patching once fixes are available.
Potential Impact
For European organizations, this vulnerability poses a significant risk, particularly for those relying on Linux-based infrastructure for critical services, including cloud providers, telecommunications, financial institutions, and government agencies. The IPv6 networking stack is widely used in modern Linux deployments, and the ability to exploit a kernel-level use-after-free can lead to system crashes, denial of service, or full system compromise. This could disrupt business operations, lead to data breaches, or enable attackers to establish persistent footholds within networks. Given the prevalence of Linux in server environments and embedded systems across Europe, the impact could be widespread. Organizations running multi-tenant cloud environments or containerized workloads are especially at risk, as attackers could leverage this vulnerability to escape isolation boundaries. Additionally, the vulnerability could be leveraged in targeted attacks against critical infrastructure sectors, potentially affecting national security and public services. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity and ease of local exploitation mean that threat actors may develop exploits rapidly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the initial patch was insufficient, it is critical to apply the latest kernel updates from trusted sources that explicitly address CVE-2024-26852. In environments where immediate patching is not feasible, organizations should restrict access to systems to trusted users only, as exploitation requires local privileges. Network segmentation and strict control of netlink socket access can reduce the attack surface. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues proactively. Monitoring kernel logs for unusual netlink activity and crashes related to IPv6 routing can provide early detection of exploitation attempts. For cloud providers and multi-tenant environments, isolating workloads and applying mandatory access controls (e.g., SELinux, AppArmor) can limit the impact of a successful exploit. Finally, organizations should maintain an inventory of Linux kernel versions in use and implement automated patch management to ensure timely updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26852: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26852 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's IPv6 networking stack, specifically within the function ip6_route_mpath_notify(). This vulnerability was identified by syzbot, an automated kernel fuzzer, which detected that the kernel could access memory after it had been freed, leading to undefined behavior and potential exploitation. The root cause involves improper handling of the fib6_info_release() calls, which are responsible for releasing routing information structures related to IPv6 multipath routing. The initial patch (commit f7225172f25a) attempted to fix the issue but did not address the underlying problem, necessitating deferring the release calls until after ip6_route_mpath_notify() completes its cleanup phase. The vulnerability manifests as a use-after-free condition where the kernel attempts to read memory that has already been freed, as evidenced by the KASAN (Kernel Address Sanitizer) report showing slab-use-after-free in rt6_fill_node. This flaw affects the Linux kernel version 6.8.0-rc4 and likely other versions around this release. Exploiting this vulnerability requires local privileges (low privilege required) and no user interaction, but the attacker must have the ability to send netlink messages to the kernel to trigger the vulnerable code path. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the affected system, including kernel crashes, arbitrary code execution in kernel space, or privilege escalation. The vulnerability is categorized under CWE-416 (Use After Free), a critical class of memory safety errors. The CVSS v3.1 score is 7.8 (high), reflecting the local attack vector, low attack complexity, required privileges, and the high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability's nature and impact warrant immediate attention and patching once fixes are available.
Potential Impact
For European organizations, this vulnerability poses a significant risk, particularly for those relying on Linux-based infrastructure for critical services, including cloud providers, telecommunications, financial institutions, and government agencies. The IPv6 networking stack is widely used in modern Linux deployments, and the ability to exploit a kernel-level use-after-free can lead to system crashes, denial of service, or full system compromise. This could disrupt business operations, lead to data breaches, or enable attackers to establish persistent footholds within networks. Given the prevalence of Linux in server environments and embedded systems across Europe, the impact could be widespread. Organizations running multi-tenant cloud environments or containerized workloads are especially at risk, as attackers could leverage this vulnerability to escape isolation boundaries. Additionally, the vulnerability could be leveraged in targeted attacks against critical infrastructure sectors, potentially affecting national security and public services. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity and ease of local exploitation mean that threat actors may develop exploits rapidly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the initial patch was insufficient, it is critical to apply the latest kernel updates from trusted sources that explicitly address CVE-2024-26852. In environments where immediate patching is not feasible, organizations should restrict access to systems to trusted users only, as exploitation requires local privileges. Network segmentation and strict control of netlink socket access can reduce the attack surface. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues proactively. Monitoring kernel logs for unusual netlink activity and crashes related to IPv6 routing can provide early detection of exploitation attempts. For cloud providers and multi-tenant environments, isolating workloads and applying mandatory access controls (e.g., SELinux, AppArmor) can limit the impact of a successful exploit. Finally, organizations should maintain an inventory of Linux kernel versions in use and implement automated patch management to ensure timely updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.183Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3d91
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 7/3/2025, 1:55:56 AM
Last updated: 8/8/2025, 12:49:23 AM
Views: 11
Related Threats
CVE-2025-9050: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-9046: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.