CVE-2024-40957: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for PREROUTING hook, in PREROUTING hook, we should passing a valid indev, and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer dereference, as below: [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 [74830.655633] #PF: supervisor read access in kernel mode [74830.657888] #PF: error_code(0x0000) - not-present page [74830.659500] PGD 0 P4D 0 [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI ... [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter] ... [74830.689725] Call Trace: [74830.690402] <IRQ> [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables] [74830.694275] ? __die_body.cold+0x8/0xd [74830.695205] ? page_fault_oops+0xac/0x140 [74830.696244] ? exc_page_fault+0x62/0x150 [74830.697225] ? asm_exc_page_fault+0x22/0x30 [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter] [74830.699540] ipt_do_table+0x286/0x710 [ip_tables] [74830.700758] ? ip6_route_input+0x19d/0x240 [74830.701752] nf_hook_slow+0x3f/0xb0 [74830.702678] input_action_end_dx4+0x19b/0x1e0 [74830.703735] ? input_action_end_t+0xe0/0xe0 [74830.704734] seg6_local_input_core+0x2d/0x60 [74830.705782] lwtunnel_input+0x5b/0xb0 [74830.706690] __netif_receive_skb_one_core+0x63/0xa0 [74830.707825] process_backlog+0x99/0x140 [74830.709538] __napi_poll+0x2c/0x160 [74830.710673] net_rx_action+0x296/0x350 [74830.711860] __do_softirq+0xcb/0x2ac [74830.713049] do_softirq+0x63/0x90 input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback(): static bool rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in) { // in is NULL return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK; }
AI Analysis
Technical Summary
CVE-2024-40957 is a vulnerability identified in the Linux kernel related to the handling of Segment Routing over IPv6 (SRv6) behaviors, specifically in the End.DX4 and End.DX6 functions. The issue arises from improper parameter passing when invoking the NF_HOOK() function within these behaviors during the PREROUTING hook phase. The functions input_action_end_dx4() and input_action_end_dx6() call NF_HOOK() but fail to provide a valid input network device (indev) parameter, instead passing a NULL value. This leads to a NULL pointer dereference in the kernel, as demonstrated by the kernel oops logs referencing rpfilter_mt() and rpfilter_is_loopback(). The rpfilter_is_loopback() function attempts to access the flags field of a NULL net_device pointer, causing a kernel panic and system crash. This vulnerability is a classic example of a NULL pointer dereference triggered by incorrect assumptions about parameter validity in kernel networking code. The impact is a denial-of-service condition due to kernel crashes. The vulnerability affects Linux kernel versions identified by the commit hash 7a3f5b0de3647c854e34269c3332d7a1e902901a and likely other versions incorporating this code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The root cause is a coding error in the segment routing implementation that mishandles the NF_HOOK() parameters, leading to dereferencing a NULL pointer in kernel space, which compromises system stability and availability.
Potential Impact
For European organizations, the primary impact of CVE-2024-40957 is the potential for denial-of-service (DoS) attacks against Linux-based systems that utilize segment routing features, particularly those employing SRv6 End.DX4 and End.DX6 behaviors. Systems running vulnerable Linux kernels may crash or become unresponsive when processing certain network packets, leading to service interruptions. This can affect critical infrastructure, cloud service providers, telecommunications equipment, and enterprise servers that rely on Linux networking stacks. Given the widespread use of Linux in European data centers, telecom networks, and embedded devices, this vulnerability could disrupt network operations and degrade service availability. Although no remote code execution or privilege escalation is indicated, the DoS impact can still cause significant operational and financial damage, especially in environments requiring high availability and reliability. The vulnerability may also complicate incident response and recovery efforts if exploited during peak operational periods. Organizations with segment routing enabled should be particularly vigilant, as this feature is increasingly adopted in modern network architectures.
Mitigation Recommendations
To mitigate CVE-2024-40957, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2) Temporarily disable SRv6 segment routing features, specifically End.DX4 and End.DX6 behaviors, if patching is not immediately feasible, to prevent triggering the NULL pointer dereference. 3) Implement network-level filtering to block malformed or suspicious packets that could exploit this vulnerability, focusing on traffic that would traverse the PREROUTING hook in the kernel. 4) Monitor kernel logs and system stability metrics for signs of crashes or oops events related to rpfilter_mt or segment routing components. 5) Conduct thorough testing in staging environments before deploying kernel updates to avoid unintended disruptions. 6) Maintain up-to-date inventory of Linux kernel versions and configurations across all systems to quickly identify vulnerable hosts. 7) Collaborate with Linux distribution maintainers and security communities to stay informed about patches and exploit developments. These steps go beyond generic advice by emphasizing feature-specific controls, proactive monitoring, and staged deployment strategies tailored to this vulnerability's nature.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40957: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for PREROUTING hook, in PREROUTING hook, we should passing a valid indev, and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer dereference, as below: [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 [74830.655633] #PF: supervisor read access in kernel mode [74830.657888] #PF: error_code(0x0000) - not-present page [74830.659500] PGD 0 P4D 0 [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI ... [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter] ... [74830.689725] Call Trace: [74830.690402] <IRQ> [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables] [74830.694275] ? __die_body.cold+0x8/0xd [74830.695205] ? page_fault_oops+0xac/0x140 [74830.696244] ? exc_page_fault+0x62/0x150 [74830.697225] ? asm_exc_page_fault+0x22/0x30 [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter] [74830.699540] ipt_do_table+0x286/0x710 [ip_tables] [74830.700758] ? ip6_route_input+0x19d/0x240 [74830.701752] nf_hook_slow+0x3f/0xb0 [74830.702678] input_action_end_dx4+0x19b/0x1e0 [74830.703735] ? input_action_end_t+0xe0/0xe0 [74830.704734] seg6_local_input_core+0x2d/0x60 [74830.705782] lwtunnel_input+0x5b/0xb0 [74830.706690] __netif_receive_skb_one_core+0x63/0xa0 [74830.707825] process_backlog+0x99/0x140 [74830.709538] __napi_poll+0x2c/0x160 [74830.710673] net_rx_action+0x296/0x350 [74830.711860] __do_softirq+0xcb/0x2ac [74830.713049] do_softirq+0x63/0x90 input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback(): static bool rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in) { // in is NULL return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK; }
AI-Powered Analysis
Technical Analysis
CVE-2024-40957 is a vulnerability identified in the Linux kernel related to the handling of Segment Routing over IPv6 (SRv6) behaviors, specifically in the End.DX4 and End.DX6 functions. The issue arises from improper parameter passing when invoking the NF_HOOK() function within these behaviors during the PREROUTING hook phase. The functions input_action_end_dx4() and input_action_end_dx6() call NF_HOOK() but fail to provide a valid input network device (indev) parameter, instead passing a NULL value. This leads to a NULL pointer dereference in the kernel, as demonstrated by the kernel oops logs referencing rpfilter_mt() and rpfilter_is_loopback(). The rpfilter_is_loopback() function attempts to access the flags field of a NULL net_device pointer, causing a kernel panic and system crash. This vulnerability is a classic example of a NULL pointer dereference triggered by incorrect assumptions about parameter validity in kernel networking code. The impact is a denial-of-service condition due to kernel crashes. The vulnerability affects Linux kernel versions identified by the commit hash 7a3f5b0de3647c854e34269c3332d7a1e902901a and likely other versions incorporating this code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The root cause is a coding error in the segment routing implementation that mishandles the NF_HOOK() parameters, leading to dereferencing a NULL pointer in kernel space, which compromises system stability and availability.
Potential Impact
For European organizations, the primary impact of CVE-2024-40957 is the potential for denial-of-service (DoS) attacks against Linux-based systems that utilize segment routing features, particularly those employing SRv6 End.DX4 and End.DX6 behaviors. Systems running vulnerable Linux kernels may crash or become unresponsive when processing certain network packets, leading to service interruptions. This can affect critical infrastructure, cloud service providers, telecommunications equipment, and enterprise servers that rely on Linux networking stacks. Given the widespread use of Linux in European data centers, telecom networks, and embedded devices, this vulnerability could disrupt network operations and degrade service availability. Although no remote code execution or privilege escalation is indicated, the DoS impact can still cause significant operational and financial damage, especially in environments requiring high availability and reliability. The vulnerability may also complicate incident response and recovery efforts if exploited during peak operational periods. Organizations with segment routing enabled should be particularly vigilant, as this feature is increasingly adopted in modern network architectures.
Mitigation Recommendations
To mitigate CVE-2024-40957, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2) Temporarily disable SRv6 segment routing features, specifically End.DX4 and End.DX6 behaviors, if patching is not immediately feasible, to prevent triggering the NULL pointer dereference. 3) Implement network-level filtering to block malformed or suspicious packets that could exploit this vulnerability, focusing on traffic that would traverse the PREROUTING hook in the kernel. 4) Monitor kernel logs and system stability metrics for signs of crashes or oops events related to rpfilter_mt or segment routing components. 5) Conduct thorough testing in staging environments before deploying kernel updates to avoid unintended disruptions. 6) Maintain up-to-date inventory of Linux kernel versions and configurations across all systems to quickly identify vulnerable hosts. 7) Collaborate with Linux distribution maintainers and security communities to stay informed about patches and exploit developments. These steps go beyond generic advice by emphasizing feature-specific controls, proactive monitoring, and staged deployment strategies tailored to this vulnerability's nature.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.593Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe14d0
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:41:38 AM
Last updated: 8/8/2025, 9:16:50 AM
Views: 12
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.