CVE-2024-35886: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated---
AI Analysis
Technical Summary
CVE-2024-35886 is a vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the fib6_dump_done() function. The issue arises from an infinite recursion bug triggered during the destruction of netlink sockets when handling IPv6 routing table dumps. The vulnerability was discovered through fuzz testing with syzkaller, which sent an AF_UNSPEC RTM_GETROUTE message causing the kernel to generate a response. During this process, a failure induced by fault injection at kzalloc() in inet6_dump_fib() led to an inconsistent state where the destructor callback (nlk_sk(sk)->cb.done) was set incorrectly. This caused fib6_dump_done() to recursively call itself indefinitely, eventually hitting the kernel stack guard page and causing a kernel crash (stack overflow). The root cause is that fib6_dump_done() calls fib6_dump_end(), which resets the destructor callback to the same function pointer rather than NULL, resulting in recursive invocation. The fix involves setting the destructor callback only after the successful allocation by kzalloc(), preventing the recursive calls. This vulnerability affects Linux kernel versions around 6.8.0-12821 and likely other versions with similar code. The exploit requires interaction with netlink sockets and the ability to send specific RTM_GETROUTE messages, which are typically accessible to privileged users or processes. No known exploits are currently reported in the wild. The vulnerability impacts kernel stability and availability by causing kernel panics or crashes when triggered.
Potential Impact
For European organizations, the primary impact of CVE-2024-35886 is on system availability and reliability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and telecommunications infrastructure. A successful exploitation could lead to denial-of-service (DoS) conditions by crashing affected Linux hosts, disrupting critical services such as web servers, network infrastructure, and cloud workloads. Organizations relying on IPv6 networking and netlink socket communications are particularly at risk. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system crashes could interrupt business operations, cause data loss due to abrupt shutdowns, and increase operational costs for incident response and recovery. Additionally, systems running containerized workloads or virtualized environments on Linux kernels vulnerable to this issue could experience instability, affecting cloud service availability. Given the increasing adoption of IPv6 in Europe, the scope of affected systems is significant. However, exploitation requires local or network-level access to send crafted netlink messages, limiting remote exploitation without prior access.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability is triggered by netlink socket operations related to IPv6 routing, organizations can implement the following specific mitigations: 1) Restrict access to netlink sockets by limiting permissions to trusted users and processes only, reducing the risk of unauthorized triggering of the vulnerability. 2) Employ network segmentation and firewall rules to limit exposure of systems to untrusted networks, especially restricting IPv6 routing-related traffic. 3) Monitor kernel logs and system behavior for signs of netlink socket errors or kernel panics indicative of attempted exploitation. 4) For high-security environments, consider disabling IPv6 routing features temporarily if feasible until patches are applied. 5) Use kernel hardening features such as stack protector and address space layout randomization (ASLR) to reduce the impact of potential kernel crashes. 6) In containerized or virtualized environments, ensure host kernels are patched promptly and isolate workloads to minimize blast radius. 7) Maintain robust backup and recovery procedures to mitigate operational impact from unexpected system crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-35886: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-35886 is a vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the fib6_dump_done() function. The issue arises from an infinite recursion bug triggered during the destruction of netlink sockets when handling IPv6 routing table dumps. The vulnerability was discovered through fuzz testing with syzkaller, which sent an AF_UNSPEC RTM_GETROUTE message causing the kernel to generate a response. During this process, a failure induced by fault injection at kzalloc() in inet6_dump_fib() led to an inconsistent state where the destructor callback (nlk_sk(sk)->cb.done) was set incorrectly. This caused fib6_dump_done() to recursively call itself indefinitely, eventually hitting the kernel stack guard page and causing a kernel crash (stack overflow). The root cause is that fib6_dump_done() calls fib6_dump_end(), which resets the destructor callback to the same function pointer rather than NULL, resulting in recursive invocation. The fix involves setting the destructor callback only after the successful allocation by kzalloc(), preventing the recursive calls. This vulnerability affects Linux kernel versions around 6.8.0-12821 and likely other versions with similar code. The exploit requires interaction with netlink sockets and the ability to send specific RTM_GETROUTE messages, which are typically accessible to privileged users or processes. No known exploits are currently reported in the wild. The vulnerability impacts kernel stability and availability by causing kernel panics or crashes when triggered.
Potential Impact
For European organizations, the primary impact of CVE-2024-35886 is on system availability and reliability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and telecommunications infrastructure. A successful exploitation could lead to denial-of-service (DoS) conditions by crashing affected Linux hosts, disrupting critical services such as web servers, network infrastructure, and cloud workloads. Organizations relying on IPv6 networking and netlink socket communications are particularly at risk. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system crashes could interrupt business operations, cause data loss due to abrupt shutdowns, and increase operational costs for incident response and recovery. Additionally, systems running containerized workloads or virtualized environments on Linux kernels vulnerable to this issue could experience instability, affecting cloud service availability. Given the increasing adoption of IPv6 in Europe, the scope of affected systems is significant. However, exploitation requires local or network-level access to send crafted netlink messages, limiting remote exploitation without prior access.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability is triggered by netlink socket operations related to IPv6 routing, organizations can implement the following specific mitigations: 1) Restrict access to netlink sockets by limiting permissions to trusted users and processes only, reducing the risk of unauthorized triggering of the vulnerability. 2) Employ network segmentation and firewall rules to limit exposure of systems to untrusted networks, especially restricting IPv6 routing-related traffic. 3) Monitor kernel logs and system behavior for signs of netlink socket errors or kernel panics indicative of attempted exploitation. 4) For high-security environments, consider disabling IPv6 routing features temporarily if feasible until patches are applied. 5) Use kernel hardening features such as stack protector and address space layout randomization (ASLR) to reduce the impact of potential kernel crashes. 6) In containerized or virtualized environments, ensure host kernels are patched promptly and isolate workloads to minimize blast radius. 7) Maintain robust backup and recovery procedures to mitigate operational impact from unexpected system crashes.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.112Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe37aa
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:09:58 PM
Last updated: 8/7/2025, 6:57:55 PM
Views: 11
Related Threats
CVE-2025-8827: OS Command Injection in Linksys RE6250
MediumCVE-2025-8826: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8825: OS Command Injection in Linksys RE6250
MediumCVE-2025-8824: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8823: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.