CVE-2024-33621: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path. WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70 Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_mc_loop+0x2d/0x70 Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212 RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001 RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000 RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00 R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000 R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000 FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? __warn (kernel/panic.c:693) ? sk_mc_loop (net/core/sock.c:760) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:239) ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? sk_mc_loop (net/core/sock.c:760) ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1)) ? nf_hook_slow (net/netfilter/core.c:626) ip6_finish_output (net/ipv6/ip6_output.c:222) ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215) ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan dev_hard_start_xmit (net/core/dev.c:3594) sch_direct_xmit (net/sched/sch_generic.c:343) __qdisc_run (net/sched/sch_generic.c:416) net_tx_action (net/core/dev.c:5286) handle_softirqs (kernel/softirq.c:555) __irq_exit_rcu (kernel/softirq.c:589) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043) The warning triggers as this: packet_sendmsg packet_snd //skb->sk is packet sk __dev_queue_xmit __dev_xmit_skb //q->enqueue is not NULL __qdisc_run sch_direct_xmit dev_hard_start_xmit ipvlan_start_xmit ipvlan_xmit_mode_l3 //l3 mode ipvlan_process_outbound //vepa flag ipvlan_process_v6_outbound ip6_local_out __ip6_finish_output ip6_finish_output2 //multicast packet sk_mc_loop //sk->sk_family is AF_PACKET Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.
AI Analysis
Technical Summary
CVE-2024-33621 is a vulnerability identified in the Linux kernel's ipvlan network driver, specifically related to the handling of outbound IPv6 packets on ipvlan devices. The issue arises when raw packets from a PF_PACKET socket are sent over an IPv6-backed ipvlan device, triggering a kernel warning (WARN_ON_ONCE) in the sk_mc_loop() function during multicast packet processing. This warning indicates a problematic state where the socket pointer (skb->sk) is improperly used, leading to a kernel warning and potentially a kernel panic or system instability. The root cause is that ipvlan's processing path for outbound IPv6 packets incorrectly uses skb->sk, which can be NULL or invalid in this context, causing the kernel to hit a warning condition in sk_mc_loop(), a function involved in multicast loopback handling. The vulnerability is triggered through the sch_direct_xmit() path, which is part of the Linux traffic control subsystem, and involves the ipvlan_start_xmit and ipvlan_xmit_mode_l3 functions. The detailed call trace shows that the issue occurs during packet transmission, specifically when multicast packets are sent via ipvlan devices configured in L3 mode. The fix involves modifying ipvlan to avoid using skb->sk in ipvlan_process_v{4,6}_outbound functions, aligning ipvlan's behavior with other tunnel drivers by calling ip{6}_local_out() with a NULL socket pointer to prevent the warning. This vulnerability affects Linux kernel versions containing the specified commit hash 2ad7bf3638411cb547f2823df08166c13ab04269 and likely other versions prior to the patch. No known exploits are reported in the wild as of the publication date. The vulnerability does not have an assigned CVSS score yet but is recognized and published by the Linux project and CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with ipvlan devices configured for IPv6 traffic, particularly in environments using containerization or virtualization where ipvlan is commonly deployed for network isolation and performance. The impact includes potential kernel warnings that can escalate to kernel panics or system crashes, leading to denial of service (DoS) conditions. This can disrupt critical services, especially in data centers, cloud providers, and enterprises relying on Linux-based infrastructure for networking and container orchestration. Since ipvlan is often used in modern cloud-native deployments, the vulnerability could affect cloud service providers and enterprises running Kubernetes or similar platforms. Although no direct remote code execution or privilege escalation is indicated, the stability and availability of affected systems could be compromised, impacting business continuity and service reliability. The vulnerability's exploitation requires crafted network packets and specific ipvlan configurations, which may limit widespread exploitation but still represents a significant risk to high-availability systems.
Mitigation Recommendations
European organizations should apply the following specific mitigations: 1) Update Linux kernels to the latest patched versions that include the fix for CVE-2024-33621 as soon as they become available from their Linux distribution vendors. 2) Audit and monitor the use of ipvlan devices, especially those configured for IPv6 traffic, to identify vulnerable systems. 3) Where possible, temporarily disable ipvlan devices or switch to alternative network drivers (e.g., macvlan or standard bridge devices) until patches are applied. 4) Implement network-level controls to restrict or monitor PF_PACKET socket usage and raw packet injection, reducing the risk of crafted packet attacks. 5) Enhance kernel logging and monitoring to detect WARN_ON_ONCE() triggers or unusual multicast traffic patterns that may indicate exploitation attempts. 6) For container orchestration platforms, ensure that node operating systems are regularly updated and that network plugins using ipvlan are kept current. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to respond promptly to updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium
CVE-2024-33621: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path. WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70 Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_mc_loop+0x2d/0x70 Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212 RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001 RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000 RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00 R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000 R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000 FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? __warn (kernel/panic.c:693) ? sk_mc_loop (net/core/sock.c:760) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:239) ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? sk_mc_loop (net/core/sock.c:760) ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1)) ? nf_hook_slow (net/netfilter/core.c:626) ip6_finish_output (net/ipv6/ip6_output.c:222) ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215) ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan dev_hard_start_xmit (net/core/dev.c:3594) sch_direct_xmit (net/sched/sch_generic.c:343) __qdisc_run (net/sched/sch_generic.c:416) net_tx_action (net/core/dev.c:5286) handle_softirqs (kernel/softirq.c:555) __irq_exit_rcu (kernel/softirq.c:589) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043) The warning triggers as this: packet_sendmsg packet_snd //skb->sk is packet sk __dev_queue_xmit __dev_xmit_skb //q->enqueue is not NULL __qdisc_run sch_direct_xmit dev_hard_start_xmit ipvlan_start_xmit ipvlan_xmit_mode_l3 //l3 mode ipvlan_process_outbound //vepa flag ipvlan_process_v6_outbound ip6_local_out __ip6_finish_output ip6_finish_output2 //multicast packet sk_mc_loop //sk->sk_family is AF_PACKET Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.
AI-Powered Analysis
Technical Analysis
CVE-2024-33621 is a vulnerability identified in the Linux kernel's ipvlan network driver, specifically related to the handling of outbound IPv6 packets on ipvlan devices. The issue arises when raw packets from a PF_PACKET socket are sent over an IPv6-backed ipvlan device, triggering a kernel warning (WARN_ON_ONCE) in the sk_mc_loop() function during multicast packet processing. This warning indicates a problematic state where the socket pointer (skb->sk) is improperly used, leading to a kernel warning and potentially a kernel panic or system instability. The root cause is that ipvlan's processing path for outbound IPv6 packets incorrectly uses skb->sk, which can be NULL or invalid in this context, causing the kernel to hit a warning condition in sk_mc_loop(), a function involved in multicast loopback handling. The vulnerability is triggered through the sch_direct_xmit() path, which is part of the Linux traffic control subsystem, and involves the ipvlan_start_xmit and ipvlan_xmit_mode_l3 functions. The detailed call trace shows that the issue occurs during packet transmission, specifically when multicast packets are sent via ipvlan devices configured in L3 mode. The fix involves modifying ipvlan to avoid using skb->sk in ipvlan_process_v{4,6}_outbound functions, aligning ipvlan's behavior with other tunnel drivers by calling ip{6}_local_out() with a NULL socket pointer to prevent the warning. This vulnerability affects Linux kernel versions containing the specified commit hash 2ad7bf3638411cb547f2823df08166c13ab04269 and likely other versions prior to the patch. No known exploits are reported in the wild as of the publication date. The vulnerability does not have an assigned CVSS score yet but is recognized and published by the Linux project and CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with ipvlan devices configured for IPv6 traffic, particularly in environments using containerization or virtualization where ipvlan is commonly deployed for network isolation and performance. The impact includes potential kernel warnings that can escalate to kernel panics or system crashes, leading to denial of service (DoS) conditions. This can disrupt critical services, especially in data centers, cloud providers, and enterprises relying on Linux-based infrastructure for networking and container orchestration. Since ipvlan is often used in modern cloud-native deployments, the vulnerability could affect cloud service providers and enterprises running Kubernetes or similar platforms. Although no direct remote code execution or privilege escalation is indicated, the stability and availability of affected systems could be compromised, impacting business continuity and service reliability. The vulnerability's exploitation requires crafted network packets and specific ipvlan configurations, which may limit widespread exploitation but still represents a significant risk to high-availability systems.
Mitigation Recommendations
European organizations should apply the following specific mitigations: 1) Update Linux kernels to the latest patched versions that include the fix for CVE-2024-33621 as soon as they become available from their Linux distribution vendors. 2) Audit and monitor the use of ipvlan devices, especially those configured for IPv6 traffic, to identify vulnerable systems. 3) Where possible, temporarily disable ipvlan devices or switch to alternative network drivers (e.g., macvlan or standard bridge devices) until patches are applied. 4) Implement network-level controls to restrict or monitor PF_PACKET socket usage and raw packet injection, reducing the risk of crafted packet attacks. 5) Enhance kernel logging and monitoring to detect WARN_ON_ONCE() triggers or unusual multicast traffic patterns that may indicate exploitation attempts. 6) For container orchestration platforms, ensure that node operating systems are regularly updated and that network plugins using ipvlan are kept current. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to respond promptly to updates.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-21T10:13:16.298Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe343f
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 3:41:39 PM
Last updated: 8/16/2025, 1:07:42 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.