CVE-2024-36901: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-36901 is a vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the ip6_output() function. The issue arises because the function ip6_dst_idev() can return a NULL pointer, which ip6_output() does not properly handle, leading to a NULL pointer dereference. This results in a general protection fault and kernel crash, as demonstrated by the syzbot fuzzing tool which triggered a kernel panic due to a NULL dereference when processing a crafted non-canonical IPv6 address. The vulnerability is rooted in the IPv6 output path where most of the IPv6 stack can handle a NULL idev (interface device) pointer gracefully, but ip6_output() lacks this check, causing a kernel panic when dereferencing the NULL pointer. The kernel crash occurs during packet transmission, impacting the stability of the system's networking functionality. The vulnerability affects multiple versions of the Linux kernel, including recent development releases, and is relevant to any Linux system utilizing IPv6 networking. While no known exploits are currently reported in the wild, the vulnerability could be triggered remotely by sending specially crafted IPv6 packets that exploit this NULL pointer dereference. This could lead to denial of service (DoS) conditions by crashing the kernel and causing system reboots or network outages. The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, and has been publicly disclosed with no CVSS score assigned yet. The technical details indicate the fault occurs in the ip6_output.c source file, and the stack trace shows the crash happens during the IPv6 packet transmission process, including SCTP protocol interactions. This vulnerability highlights a critical robustness issue in the Linux IPv6 stack that could be exploited to disrupt network services.
Potential Impact
For European organizations, the impact of CVE-2024-36901 could be significant, especially for those relying heavily on Linux-based infrastructure and IPv6 networking. The primary impact is a denial of service condition caused by kernel crashes, which can disrupt critical network services, server availability, and cloud infrastructure stability. Organizations running Linux servers, network appliances, or cloud instances with IPv6 enabled are at risk of unexpected system reboots or outages if targeted by crafted IPv6 packets exploiting this flaw. This could affect data centers, ISPs, telecom providers, and enterprises with IPv6 deployments. The disruption could lead to operational downtime, loss of productivity, and potential cascading effects on dependent services. Although no direct data breach or privilege escalation is indicated, the loss of availability can have severe consequences for business continuity and service level agreements. Additionally, the vulnerability could be leveraged as part of a larger attack chain to cause network instability or to mask other malicious activities. European organizations with critical infrastructure, such as financial institutions, healthcare providers, and government agencies, could face heightened risks due to their reliance on stable network operations and compliance requirements. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.
Mitigation Recommendations
To mitigate CVE-2024-36901, European organizations should prioritize the following specific actions: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. Monitor vendor advisories for updates. 2) If immediate patching is not feasible, consider disabling or restricting IPv6 traffic at network boundaries to reduce exposure, especially from untrusted sources. 3) Employ network-level filtering to block malformed or suspicious IPv6 packets that could trigger the vulnerability, using advanced firewall rules or intrusion prevention systems capable of deep packet inspection. 4) Implement robust monitoring and alerting for kernel crashes, system reboots, and unusual network traffic patterns indicative of exploitation attempts. 5) For cloud environments, leverage provider security features to isolate vulnerable instances and apply virtual patching or traffic filtering. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability before production deployment. 7) Educate network and system administrators about the vulnerability to increase awareness and readiness to respond to potential incidents. These measures go beyond generic advice by focusing on IPv6-specific controls, proactive patch management, and network traffic scrutiny tailored to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2024-36901: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-36901 is a vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the ip6_output() function. The issue arises because the function ip6_dst_idev() can return a NULL pointer, which ip6_output() does not properly handle, leading to a NULL pointer dereference. This results in a general protection fault and kernel crash, as demonstrated by the syzbot fuzzing tool which triggered a kernel panic due to a NULL dereference when processing a crafted non-canonical IPv6 address. The vulnerability is rooted in the IPv6 output path where most of the IPv6 stack can handle a NULL idev (interface device) pointer gracefully, but ip6_output() lacks this check, causing a kernel panic when dereferencing the NULL pointer. The kernel crash occurs during packet transmission, impacting the stability of the system's networking functionality. The vulnerability affects multiple versions of the Linux kernel, including recent development releases, and is relevant to any Linux system utilizing IPv6 networking. While no known exploits are currently reported in the wild, the vulnerability could be triggered remotely by sending specially crafted IPv6 packets that exploit this NULL pointer dereference. This could lead to denial of service (DoS) conditions by crashing the kernel and causing system reboots or network outages. The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, and has been publicly disclosed with no CVSS score assigned yet. The technical details indicate the fault occurs in the ip6_output.c source file, and the stack trace shows the crash happens during the IPv6 packet transmission process, including SCTP protocol interactions. This vulnerability highlights a critical robustness issue in the Linux IPv6 stack that could be exploited to disrupt network services.
Potential Impact
For European organizations, the impact of CVE-2024-36901 could be significant, especially for those relying heavily on Linux-based infrastructure and IPv6 networking. The primary impact is a denial of service condition caused by kernel crashes, which can disrupt critical network services, server availability, and cloud infrastructure stability. Organizations running Linux servers, network appliances, or cloud instances with IPv6 enabled are at risk of unexpected system reboots or outages if targeted by crafted IPv6 packets exploiting this flaw. This could affect data centers, ISPs, telecom providers, and enterprises with IPv6 deployments. The disruption could lead to operational downtime, loss of productivity, and potential cascading effects on dependent services. Although no direct data breach or privilege escalation is indicated, the loss of availability can have severe consequences for business continuity and service level agreements. Additionally, the vulnerability could be leveraged as part of a larger attack chain to cause network instability or to mask other malicious activities. European organizations with critical infrastructure, such as financial institutions, healthcare providers, and government agencies, could face heightened risks due to their reliance on stable network operations and compliance requirements. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.
Mitigation Recommendations
To mitigate CVE-2024-36901, European organizations should prioritize the following specific actions: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. Monitor vendor advisories for updates. 2) If immediate patching is not feasible, consider disabling or restricting IPv6 traffic at network boundaries to reduce exposure, especially from untrusted sources. 3) Employ network-level filtering to block malformed or suspicious IPv6 packets that could trigger the vulnerability, using advanced firewall rules or intrusion prevention systems capable of deep packet inspection. 4) Implement robust monitoring and alerting for kernel crashes, system reboots, and unusual network traffic patterns indicative of exploitation attempts. 5) For cloud environments, leverage provider security features to isolate vulnerable instances and apply virtual patching or traffic filtering. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability before production deployment. 7) Educate network and system administrators about the vulnerability to increase awareness and readiness to respond to potential incidents. These measures go beyond generic advice by focusing on IPv6-specific controls, proactive patch management, and network traffic scrutiny tailored to the nature of this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.066Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe260c
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:57:04 AM
Last updated: 7/29/2025, 3:45:53 AM
Views: 12
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.