CVE-2024-47685: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---
AI Analysis
Technical Summary
CVE-2024-47685 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the IPv6 packet rejection handling code (nf_reject_ipv6). The issue arises from improper initialization of the TCP header fields when sending TCP reset packets in response to rejected IPv6 connections. The function nf_reject_ip6_tcphdr_put() was found to potentially send uninitialized or garbage data in the reserved TCP bits (th->res1), which could lead to undefined behavior or memory corruption. This was detected by the Kernel Memory Sanitizer (KMSAN) as an uninitialized value usage. The root cause is that the TCP header was not fully zeroed before being populated, unlike the IPv4 counterpart function nf_reject_ip_tcphdr_put(), which uses skb_put_zero() to clear the entire TCP header buffer. The vulnerability could cause kernel memory corruption or instability when processing certain IPv6 packets that trigger netfilter rejection rules. The flaw is located in the netfilter nftables reject handling path for IPv6 TCP packets, which is a critical component for firewall and packet filtering on Linux systems. Although no known exploits are reported in the wild, the vulnerability could be leveraged by an attacker capable of sending crafted IPv6 packets to cause denial of service or potentially escalate privileges via kernel memory corruption. The fix involves ensuring the TCP header buffer is zeroed out before use, preventing uninitialized data from being sent or processed. This vulnerability affects Linux kernel versions prior to the patch date and impacts all systems using netfilter with IPv6 enabled and nftables reject rules configured.
Potential Impact
For European organizations, the impact of CVE-2024-47685 can be significant, especially for those relying heavily on Linux-based infrastructure for networking, servers, and security appliances. Many European enterprises, government agencies, and critical infrastructure providers deploy Linux systems with IPv6 and netfilter-based firewalls or nftables for packet filtering and network security. Exploitation of this vulnerability could lead to kernel crashes or denial of service, disrupting network services and potentially causing outages in critical systems. In worst-case scenarios, if an attacker can leverage the uninitialized memory usage to escalate privileges or execute arbitrary code in kernel space, it could lead to full system compromise. This risk is heightened in environments with exposed IPv6 connectivity or insufficient network segmentation. Given the increasing adoption of IPv6 in Europe and the widespread use of Linux in enterprise and cloud environments, the vulnerability poses a tangible threat to confidentiality, integrity, and availability of networked systems. Disruption of firewall functionality or kernel instability could also impact compliance with regulatory requirements such as GDPR, which mandates robust security controls. Additionally, sectors like finance, healthcare, and telecommunications in Europe could face operational and reputational damage if affected by attacks exploiting this flaw.
Mitigation Recommendations
To mitigate CVE-2024-47685, European organizations should: 1) Immediately apply the official Linux kernel patches that address this vulnerability once available from their Linux distribution vendors or upstream kernel sources. 2) If patching is delayed, consider temporarily disabling or restricting IPv6 netfilter reject rules that trigger the vulnerable code path, or disable IPv6 if not required. 3) Employ strict network segmentation and ingress filtering to limit exposure of vulnerable systems to untrusted IPv6 traffic. 4) Monitor kernel logs and system behavior for signs of crashes or anomalies related to netfilter or IPv6 packet processing. 5) Use kernel memory sanitizers or runtime security tools in test environments to detect similar uninitialized memory issues proactively. 6) Ensure that Linux systems are running supported and regularly updated kernel versions, and subscribe to security advisories from Linux distributions and the kernel community. 7) Conduct vulnerability scanning and penetration testing focusing on IPv6 and firewall configurations to identify potential exploitation vectors. 8) Harden firewall and nftables configurations to minimize attack surface and avoid complex reject rules that may invoke this vulnerable code path unnecessarily.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-47685: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-47685 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the IPv6 packet rejection handling code (nf_reject_ipv6). The issue arises from improper initialization of the TCP header fields when sending TCP reset packets in response to rejected IPv6 connections. The function nf_reject_ip6_tcphdr_put() was found to potentially send uninitialized or garbage data in the reserved TCP bits (th->res1), which could lead to undefined behavior or memory corruption. This was detected by the Kernel Memory Sanitizer (KMSAN) as an uninitialized value usage. The root cause is that the TCP header was not fully zeroed before being populated, unlike the IPv4 counterpart function nf_reject_ip_tcphdr_put(), which uses skb_put_zero() to clear the entire TCP header buffer. The vulnerability could cause kernel memory corruption or instability when processing certain IPv6 packets that trigger netfilter rejection rules. The flaw is located in the netfilter nftables reject handling path for IPv6 TCP packets, which is a critical component for firewall and packet filtering on Linux systems. Although no known exploits are reported in the wild, the vulnerability could be leveraged by an attacker capable of sending crafted IPv6 packets to cause denial of service or potentially escalate privileges via kernel memory corruption. The fix involves ensuring the TCP header buffer is zeroed out before use, preventing uninitialized data from being sent or processed. This vulnerability affects Linux kernel versions prior to the patch date and impacts all systems using netfilter with IPv6 enabled and nftables reject rules configured.
Potential Impact
For European organizations, the impact of CVE-2024-47685 can be significant, especially for those relying heavily on Linux-based infrastructure for networking, servers, and security appliances. Many European enterprises, government agencies, and critical infrastructure providers deploy Linux systems with IPv6 and netfilter-based firewalls or nftables for packet filtering and network security. Exploitation of this vulnerability could lead to kernel crashes or denial of service, disrupting network services and potentially causing outages in critical systems. In worst-case scenarios, if an attacker can leverage the uninitialized memory usage to escalate privileges or execute arbitrary code in kernel space, it could lead to full system compromise. This risk is heightened in environments with exposed IPv6 connectivity or insufficient network segmentation. Given the increasing adoption of IPv6 in Europe and the widespread use of Linux in enterprise and cloud environments, the vulnerability poses a tangible threat to confidentiality, integrity, and availability of networked systems. Disruption of firewall functionality or kernel instability could also impact compliance with regulatory requirements such as GDPR, which mandates robust security controls. Additionally, sectors like finance, healthcare, and telecommunications in Europe could face operational and reputational damage if affected by attacks exploiting this flaw.
Mitigation Recommendations
To mitigate CVE-2024-47685, European organizations should: 1) Immediately apply the official Linux kernel patches that address this vulnerability once available from their Linux distribution vendors or upstream kernel sources. 2) If patching is delayed, consider temporarily disabling or restricting IPv6 netfilter reject rules that trigger the vulnerable code path, or disable IPv6 if not required. 3) Employ strict network segmentation and ingress filtering to limit exposure of vulnerable systems to untrusted IPv6 traffic. 4) Monitor kernel logs and system behavior for signs of crashes or anomalies related to netfilter or IPv6 packet processing. 5) Use kernel memory sanitizers or runtime security tools in test environments to detect similar uninitialized memory issues proactively. 6) Ensure that Linux systems are running supported and regularly updated kernel versions, and subscribe to security advisories from Linux distributions and the kernel community. 7) Conduct vulnerability scanning and penetration testing focusing on IPv6 and firewall configurations to identify potential exploitation vectors. 8) Harden firewall and nftables configurations to minimize attack surface and avoid complex reject rules that may invoke this vulnerable code path unnecessarily.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.941Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe04fd
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:27:20 PM
Last updated: 8/18/2025, 8:41:29 AM
Views: 40
Related Threats
CVE-2025-8357: CWE-862 Missing Authorization in dglingren Media Library Assistant
MediumCVE-2025-5417: Incorrect Privilege Assignment in Red Hat Red Hat Developer Hub
MediumCVE-2025-7496: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpclever WPC Smart Compare for WooCommerce
MediumCVE-2025-57725
LowCVE-2025-57724
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.