CVE-2024-40905: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible race in __fib6_drop_pcpu_from() syzbot found a race in __fib6_drop_pcpu_from() [1] If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route(). Add a READ_ONCE() to prevent this race. Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 rt6_sync_down_dev net/ipv6/route.c:4906 [inline] rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] call_netdevice_notifiers net/core/dev.c:2044 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1585 unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 unregister_netdevice_many net/core/dev.c:11276 [inline] default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
AI Analysis
Technical Summary
CVE-2024-40905 is a race condition vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the function __fib6_drop_pcpu_from() located in net/ipv6/ip6_fib.c. The issue arises due to improper synchronization when accessing per-CPU routing data structures. The vulnerability was discovered by syzbot, an automated kernel fuzzer, which detected a race condition where the compiler might read the pointer (*ppcpu_rt) multiple times without proper atomicity guarantees. This can lead to a second read returning NULL if another CPU concurrently clears the value in rt6_get_pcpu_route(). The lack of appropriate memory barriers and read protections (such as READ_ONCE() and RCU locks) results in a potential use-after-free or null pointer dereference scenario, causing a kernel oops or general protection fault. The crash logs indicate a null pointer dereference triggered during network namespace cleanup or device unregister operations, which are common in dynamic network environments. The fix involves adding READ_ONCE() to ensure atomic reads and wrapping the pointer dereference with RCU read locks (rcu_read_lock()/rcu_read_unlock()) to maintain safe concurrent access. This vulnerability affects Linux kernel versions around 6.10.0-rc1 and likely other versions with similar code paths. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. However, the vulnerability impacts kernel stability and could potentially be leveraged for denial of service or privilege escalation if combined with other bugs.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with IPv6 enabled, which is common in enterprise and cloud environments. The race condition can cause kernel crashes leading to denial of service (DoS) conditions, affecting availability of critical infrastructure such as servers, network appliances, and cloud instances. Given the widespread adoption of Linux in data centers, cloud providers, and embedded systems across Europe, the impact could be significant if exploited or triggered unintentionally during network reconfiguration or device removal. While direct remote exploitation is unlikely without additional vulnerabilities, attackers with local access or the ability to trigger network namespace changes could cause system instability. This could disrupt services, impact business continuity, and increase operational costs due to downtime and recovery efforts. Furthermore, in environments with high network churn or containerized workloads, the likelihood of encountering this race condition increases. The vulnerability also raises concerns for security-sensitive applications relying on kernel stability and integrity, including telecommunications, financial services, and government infrastructure prevalent in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this race condition is patched, ideally applying the fix that introduces READ_ONCE() and RCU locking in the IPv6 routing code. Kernel upgrades should be tested in staging environments to ensure compatibility. For systems where immediate patching is not feasible, mitigating actions include minimizing network namespace changes and device unregister operations, especially under high concurrency. Monitoring kernel logs for OOPS or general protection faults related to IPv6 routing can help detect attempts to trigger this vulnerability. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can aid in early detection of related issues. Organizations should also restrict local access to trusted users and isolate critical systems to reduce the risk of exploitation. Network segmentation and limiting IPv6 usage where not required can reduce exposure. Collaboration with Linux distribution vendors for timely patches and backports is essential. Finally, integrating this vulnerability into vulnerability management and incident response workflows will ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-40905: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible race in __fib6_drop_pcpu_from() syzbot found a race in __fib6_drop_pcpu_from() [1] If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route(). Add a READ_ONCE() to prevent this race. Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 rt6_sync_down_dev net/ipv6/route.c:4906 [inline] rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] call_netdevice_notifiers net/core/dev.c:2044 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1585 unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 unregister_netdevice_many net/core/dev.c:11276 [inline] default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
AI-Powered Analysis
Technical Analysis
CVE-2024-40905 is a race condition vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the function __fib6_drop_pcpu_from() located in net/ipv6/ip6_fib.c. The issue arises due to improper synchronization when accessing per-CPU routing data structures. The vulnerability was discovered by syzbot, an automated kernel fuzzer, which detected a race condition where the compiler might read the pointer (*ppcpu_rt) multiple times without proper atomicity guarantees. This can lead to a second read returning NULL if another CPU concurrently clears the value in rt6_get_pcpu_route(). The lack of appropriate memory barriers and read protections (such as READ_ONCE() and RCU locks) results in a potential use-after-free or null pointer dereference scenario, causing a kernel oops or general protection fault. The crash logs indicate a null pointer dereference triggered during network namespace cleanup or device unregister operations, which are common in dynamic network environments. The fix involves adding READ_ONCE() to ensure atomic reads and wrapping the pointer dereference with RCU read locks (rcu_read_lock()/rcu_read_unlock()) to maintain safe concurrent access. This vulnerability affects Linux kernel versions around 6.10.0-rc1 and likely other versions with similar code paths. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. However, the vulnerability impacts kernel stability and could potentially be leveraged for denial of service or privilege escalation if combined with other bugs.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with IPv6 enabled, which is common in enterprise and cloud environments. The race condition can cause kernel crashes leading to denial of service (DoS) conditions, affecting availability of critical infrastructure such as servers, network appliances, and cloud instances. Given the widespread adoption of Linux in data centers, cloud providers, and embedded systems across Europe, the impact could be significant if exploited or triggered unintentionally during network reconfiguration or device removal. While direct remote exploitation is unlikely without additional vulnerabilities, attackers with local access or the ability to trigger network namespace changes could cause system instability. This could disrupt services, impact business continuity, and increase operational costs due to downtime and recovery efforts. Furthermore, in environments with high network churn or containerized workloads, the likelihood of encountering this race condition increases. The vulnerability also raises concerns for security-sensitive applications relying on kernel stability and integrity, including telecommunications, financial services, and government infrastructure prevalent in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this race condition is patched, ideally applying the fix that introduces READ_ONCE() and RCU locking in the IPv6 routing code. Kernel upgrades should be tested in staging environments to ensure compatibility. For systems where immediate patching is not feasible, mitigating actions include minimizing network namespace changes and device unregister operations, especially under high concurrency. Monitoring kernel logs for OOPS or general protection faults related to IPv6 routing can help detect attempts to trigger this vulnerability. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can aid in early detection of related issues. Organizations should also restrict local access to trusted users and isolate critical systems to reduce the risk of exploitation. Network segmentation and limiting IPv6 usage where not required can reduce exposure. Collaboration with Linux distribution vendors for timely patches and backports is essential. Finally, integrating this vulnerability into vulnerability management and incident response workflows will ensure rapid detection and remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.580Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2e01
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:09:41 PM
Last updated: 7/28/2025, 2:08:08 PM
Views: 11
Related Threats
CVE-2025-7353: CWE-1188: Initialization of a Resource with an Insecure Default in Rockwell Automation 1756-EN2T/D
CriticalCVE-2025-55675: CWE-285 Improper Authorization in Apache Software Foundation Apache Superset
MediumCVE-2025-55674: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Apache Software Foundation Apache Superset
MediumCVE-2025-55673: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Superset
MediumCVE-2025-55672: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Apache Software Foundation Apache Superset
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.