CVE-2024-39490 is a medium severity vulnerability in the Linux kernel's IPv6 Segment Routing (SRv6) implementation, specifically within the seg6_input_core() function. The vulnerability arises from a memory leak caused by improper handling of sk_buff (socket buffer) objects when skb_cow_head() fails. The seg6_input() function, which processes IPv6 packets with Segment Routing Headers (SRH), delegates to seg6_input_core() to ensure sufficient headroom in the sk_buff for link-layer headers. If skb_cow_head() fails to allocate or copy the buffer headroom, seg6_input_core() catches the error but neglects to release the sk_buff, resulting in a memory leak (classified as CWE-401: Improper Release of Memory Before Removing Last Reference). This flaw was introduced in commit af3b5158b89d and persisted through subsequent refactoring, including commit 7a3f5b0de364 that added netfilter hooks to the SRv6 data plane. The patch requires seg6_input_core() to properly release the sk_buff upon failure of skb_cow_head(), preventing the leak. The vulnerability does not require privileges or user interaction to exploit and has a CVSS 3.1 score of 6.2, indicating a medium severity. The impact is limited to confidentiality loss, as indicated by the CVSS vector (C:H/I:N/A:N), suggesting potential information disclosure through memory exhaustion or side effects of the leak, but no integrity or availability impact is noted. No known exploits are currently in the wild.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected versions that handle IPv6 traffic using Segment Routing. The memory leak could lead to gradual resource exhaustion on network devices or servers processing SRv6 packets, potentially causing degraded performance or denial of service if memory consumption grows unchecked. While the CVSS indicates no direct availability impact, in high-throughput or critical network environments, such leaks can indirectly affect service reliability. Confidentiality impact suggests that sensitive data might be exposed if memory is improperly managed, although the exact leakage vector is not detailed. Organizations relying on Linux-based routers, firewalls, or servers with IPv6 SRv6 enabled should be particularly vigilant. Given the increasing adoption of IPv6 and SRv6 in European telecom infrastructure and enterprises, the vulnerability could affect critical network infrastructure, impacting data privacy and network stability.

1. Apply the official Linux kernel patch that fixes the seg6_input_core() memory leak as soon as it becomes available in your distribution's kernel updates. 2. Monitor kernel updates from your Linux vendor and prioritize updates for systems handling IPv6 SRv6 traffic. 3. If immediate patching is not possible, consider disabling IPv6 Segment Routing features temporarily on critical systems to mitigate exposure. 4. Implement resource monitoring on network devices and servers to detect abnormal memory usage patterns that could indicate exploitation attempts or leaks. 5. Employ network segmentation and strict firewall rules to limit exposure of vulnerable systems to untrusted IPv6 traffic, reducing the attack surface. 6. Conduct regular audits of network traffic and kernel logs for anomalies related to SRv6 processing failures. 7. Collaborate with Linux distribution maintainers to ensure timely backporting of the patch to long-term support kernels widely used in enterprise environments.