CVE-2024-40960: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 find_rr_leaf net/ipv6/route.c:853 [inline] rt6_select net/ipv6/route.c:897 [inline] fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 pol_lookup_func include/net/ip6_fib.h:616 [inline] fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x6b6/0x1140 fs/read_write.c:590 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-40960 is a vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the rt6_probe() function responsible for route probing in IPv6 routing. The flaw involves a potential NULL pointer dereference caused when the __in6_dev_get() function returns NULL, but the code does not properly handle this case, leading to a NULL dereference. This can result in a general protection fault and kernel crash (kernel panic), as evidenced by the kernel oops logs and stack trace provided. The vulnerability was detected by syzbot, an automated kernel fuzzing tool, indicating it can be triggered by crafted network packets or conditions that cause the kernel to process non-canonical IPv6 addresses or malformed routing information. The issue lies in the failure to bail out early when __in6_dev_get() returns NULL, causing subsequent code to dereference a NULL pointer during route lookup and selection operations. This vulnerability affects Linux kernel versions prior to the patch and impacts the IPv6 routing subsystem, which is critical for network communication on systems using IPv6. The kernel crash can lead to denial of service (DoS) conditions by crashing the affected system or virtual machine. There is no indication that this vulnerability allows privilege escalation or remote code execution, but the denial of service impact can be significant in networked environments. No known exploits are reported in the wild as of the publication date. The vulnerability is relevant to any Linux system running IPv6 networking, including servers, cloud instances, and embedded devices using vulnerable kernel versions. The patch involves adding proper NULL checks to prevent dereferencing NULL pointers in rt6_probe().
Potential Impact
For European organizations, the impact of CVE-2024-40960 primarily manifests as a potential denial of service on Linux-based systems that utilize IPv6 networking. Given the widespread adoption of Linux servers and cloud infrastructure across Europe, including critical sectors such as finance, healthcare, telecommunications, and government, an attacker capable of triggering this vulnerability could cause kernel crashes leading to service interruptions. This may disrupt business operations, degrade service availability, and impact user experience. Systems exposed to untrusted IPv6 traffic, such as public-facing servers, edge devices, or cloud virtual machines, are particularly at risk. Although the vulnerability does not appear to allow remote code execution or privilege escalation, the ability to cause kernel panics remotely can be leveraged in targeted attacks to disrupt critical infrastructure or cloud services. The impact is heightened in environments with high IPv6 usage or where IPv6 is enabled by default. Additionally, denial of service in network infrastructure devices running Linux could affect network reliability and security monitoring capabilities. Organizations relying on Linux kernel versions prior to the fix should prioritize patching to maintain operational stability and avoid potential exploitation scenarios.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-40960 is the most effective mitigation. Organizations should track kernel updates from their Linux distribution vendors and apply security updates promptly. 2. For environments where immediate patching is not feasible, consider temporarily disabling IPv6 networking if it is not required, to eliminate the attack surface related to this vulnerability. 3. Implement network-level filtering to restrict or monitor IPv6 traffic, especially from untrusted sources, using firewalls or intrusion detection/prevention systems capable of IPv6 inspection. 4. Employ kernel hardening and runtime protection mechanisms such as Kernel Address Sanitizer (KASAN) and kernel lockdown features where supported, to detect and mitigate kernel faults. 5. Use virtualization and containerization isolation to limit the impact of potential kernel crashes on critical workloads. 6. Monitor system logs and kernel crash reports for signs of exploitation attempts or unusual IPv6 traffic patterns. 7. Engage with Linux distribution security advisories and community channels to stay informed about patches and mitigation best practices. 8. For cloud environments, coordinate with cloud service providers to ensure underlying host kernels are patched and that virtual machines use updated kernels.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-40960: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 find_rr_leaf net/ipv6/route.c:853 [inline] rt6_select net/ipv6/route.c:897 [inline] fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 pol_lookup_func include/net/ip6_fib.h:616 [inline] fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x6b6/0x1140 fs/read_write.c:590 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-40960 is a vulnerability identified in the Linux kernel's IPv6 networking stack, specifically within the rt6_probe() function responsible for route probing in IPv6 routing. The flaw involves a potential NULL pointer dereference caused when the __in6_dev_get() function returns NULL, but the code does not properly handle this case, leading to a NULL dereference. This can result in a general protection fault and kernel crash (kernel panic), as evidenced by the kernel oops logs and stack trace provided. The vulnerability was detected by syzbot, an automated kernel fuzzing tool, indicating it can be triggered by crafted network packets or conditions that cause the kernel to process non-canonical IPv6 addresses or malformed routing information. The issue lies in the failure to bail out early when __in6_dev_get() returns NULL, causing subsequent code to dereference a NULL pointer during route lookup and selection operations. This vulnerability affects Linux kernel versions prior to the patch and impacts the IPv6 routing subsystem, which is critical for network communication on systems using IPv6. The kernel crash can lead to denial of service (DoS) conditions by crashing the affected system or virtual machine. There is no indication that this vulnerability allows privilege escalation or remote code execution, but the denial of service impact can be significant in networked environments. No known exploits are reported in the wild as of the publication date. The vulnerability is relevant to any Linux system running IPv6 networking, including servers, cloud instances, and embedded devices using vulnerable kernel versions. The patch involves adding proper NULL checks to prevent dereferencing NULL pointers in rt6_probe().
Potential Impact
For European organizations, the impact of CVE-2024-40960 primarily manifests as a potential denial of service on Linux-based systems that utilize IPv6 networking. Given the widespread adoption of Linux servers and cloud infrastructure across Europe, including critical sectors such as finance, healthcare, telecommunications, and government, an attacker capable of triggering this vulnerability could cause kernel crashes leading to service interruptions. This may disrupt business operations, degrade service availability, and impact user experience. Systems exposed to untrusted IPv6 traffic, such as public-facing servers, edge devices, or cloud virtual machines, are particularly at risk. Although the vulnerability does not appear to allow remote code execution or privilege escalation, the ability to cause kernel panics remotely can be leveraged in targeted attacks to disrupt critical infrastructure or cloud services. The impact is heightened in environments with high IPv6 usage or where IPv6 is enabled by default. Additionally, denial of service in network infrastructure devices running Linux could affect network reliability and security monitoring capabilities. Organizations relying on Linux kernel versions prior to the fix should prioritize patching to maintain operational stability and avoid potential exploitation scenarios.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-40960 is the most effective mitigation. Organizations should track kernel updates from their Linux distribution vendors and apply security updates promptly. 2. For environments where immediate patching is not feasible, consider temporarily disabling IPv6 networking if it is not required, to eliminate the attack surface related to this vulnerability. 3. Implement network-level filtering to restrict or monitor IPv6 traffic, especially from untrusted sources, using firewalls or intrusion detection/prevention systems capable of IPv6 inspection. 4. Employ kernel hardening and runtime protection mechanisms such as Kernel Address Sanitizer (KASAN) and kernel lockdown features where supported, to detect and mitigate kernel faults. 5. Use virtualization and containerization isolation to limit the impact of potential kernel crashes on critical workloads. 6. Monitor system logs and kernel crash reports for signs of exploitation attempts or unusual IPv6 traffic patterns. 7. Engage with Linux distribution security advisories and community channels to stay informed about patches and mitigation best practices. 8. For cloud environments, coordinate with cloud service providers to ensure underlying host kernels are patched and that virtual machines use updated kernels.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.594Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe14dc
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:42:10 AM
Last updated: 8/12/2025, 5:38:03 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.