CVE-2024-40959: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
AI Analysis
Technical Summary
CVE-2024-40959 is a vulnerability identified in the Linux kernel, specifically within the IPv6 transformation (xfrm6) subsystem. The issue arises because the function ip6_dst_idev() can return a NULL pointer, but the caller function xfrm6_get_saddr() does not properly check for this NULL return value before dereferencing it. This leads to a null pointer dereference, causing a general protection fault and kernel crash (panic). The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, which triggered a kernel oops due to dereferencing a non-canonical address. The stack trace shows the fault occurs in net/ipv6/xfrm6_policy.c during the execution of xfrm6_get_saddr(), which is involved in resolving source addresses for IPv6 packets under IPsec policies. The vulnerability affects Linux kernel versions around 6.10.0-rc2 and likely other versions containing the same code pattern. The impact is a denial of service (DoS) condition caused by kernel crashes when processing crafted IPv6 packets that trigger this code path. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but can disrupt system availability. It is relevant to systems using IPv6 with IPsec (xfrm) enabled, including those running WireGuard VPN, as the crash was observed during WireGuard handshake packet processing. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The patch involves adding proper NULL checks in xfrm6_get_saddr() to safely handle ip6_dst_idev() returning NULL, preventing the kernel crash.
Potential Impact
For European organizations, the primary impact of CVE-2024-40959 is the potential for denial of service on Linux-based systems that utilize IPv6 networking with IPsec or WireGuard VPN functionality. Many enterprises, government agencies, and critical infrastructure providers in Europe rely on Linux servers and network devices for secure communications. A successful exploitation could cause kernel panics, leading to system reboots or service interruptions. This could disrupt VPN connectivity, remote access, and other IPv6-dependent services, impacting business continuity and operational stability. While the vulnerability does not currently enable code execution or data breaches, the DoS effect can be leveraged by attackers to degrade network security posture or cause outages in critical environments. Given the increasing adoption of IPv6 and WireGuard in Europe, especially in sectors like finance, telecommunications, and public administration, this vulnerability poses a tangible risk to service availability and network reliability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-40959 as soon as patches become available. In the interim, administrators can mitigate risk by limiting exposure of IPv6-enabled services, especially those using IPsec or WireGuard, to untrusted networks. Network-level filtering to block suspicious or malformed IPv6 packets targeting the xfrm subsystem can reduce attack surface. Monitoring kernel logs for signs of null pointer dereference or unexpected crashes related to xfrm6_get_saddr() can help detect attempted exploitation. Additionally, organizations should audit their VPN configurations and ensure that WireGuard and other IPsec implementations are running on patched kernels. Employing kernel hardening features and enabling kernel crash dumps can assist in forensic analysis if incidents occur. Finally, maintaining a robust incident response plan to quickly recover from potential DoS events is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2024-40959: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
AI-Powered Analysis
Technical Analysis
CVE-2024-40959 is a vulnerability identified in the Linux kernel, specifically within the IPv6 transformation (xfrm6) subsystem. The issue arises because the function ip6_dst_idev() can return a NULL pointer, but the caller function xfrm6_get_saddr() does not properly check for this NULL return value before dereferencing it. This leads to a null pointer dereference, causing a general protection fault and kernel crash (panic). The vulnerability was discovered and reported by syzbot, an automated kernel fuzzing tool, which triggered a kernel oops due to dereferencing a non-canonical address. The stack trace shows the fault occurs in net/ipv6/xfrm6_policy.c during the execution of xfrm6_get_saddr(), which is involved in resolving source addresses for IPv6 packets under IPsec policies. The vulnerability affects Linux kernel versions around 6.10.0-rc2 and likely other versions containing the same code pattern. The impact is a denial of service (DoS) condition caused by kernel crashes when processing crafted IPv6 packets that trigger this code path. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but can disrupt system availability. It is relevant to systems using IPv6 with IPsec (xfrm) enabled, including those running WireGuard VPN, as the crash was observed during WireGuard handshake packet processing. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The patch involves adding proper NULL checks in xfrm6_get_saddr() to safely handle ip6_dst_idev() returning NULL, preventing the kernel crash.
Potential Impact
For European organizations, the primary impact of CVE-2024-40959 is the potential for denial of service on Linux-based systems that utilize IPv6 networking with IPsec or WireGuard VPN functionality. Many enterprises, government agencies, and critical infrastructure providers in Europe rely on Linux servers and network devices for secure communications. A successful exploitation could cause kernel panics, leading to system reboots or service interruptions. This could disrupt VPN connectivity, remote access, and other IPv6-dependent services, impacting business continuity and operational stability. While the vulnerability does not currently enable code execution or data breaches, the DoS effect can be leveraged by attackers to degrade network security posture or cause outages in critical environments. Given the increasing adoption of IPv6 and WireGuard in Europe, especially in sectors like finance, telecommunications, and public administration, this vulnerability poses a tangible risk to service availability and network reliability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-40959 as soon as patches become available. In the interim, administrators can mitigate risk by limiting exposure of IPv6-enabled services, especially those using IPsec or WireGuard, to untrusted networks. Network-level filtering to block suspicious or malformed IPv6 packets targeting the xfrm subsystem can reduce attack surface. Monitoring kernel logs for signs of null pointer dereference or unexpected crashes related to xfrm6_get_saddr() can help detect attempted exploitation. Additionally, organizations should audit their VPN configurations and ensure that WireGuard and other IPsec implementations are running on patched kernels. Employing kernel hardening features and enabling kernel crash dumps can assist in forensic analysis if incidents occur. Finally, maintaining a robust incident response plan to quickly recover from potential DoS events is recommended.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.593Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe14d8
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:42:00 AM
Last updated: 7/31/2025, 8:11:18 PM
Views: 10
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumResearcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.