CVE-2024-50256: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---
AI Analysis
Technical Summary
CVE-2024-50256 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the IPv6 packet rejection functionality (nf_reject_ipv6). The flaw arises in the function nf_send_reset6(), which is responsible for sending TCP reset packets in response to rejected IPv6 connections. The root cause is an improper handling of the network device's hard_header_len field, which can be zero in certain conditions. When this occurs, the function attempts to push an Ethernet header onto a socket buffer (skb) without verifying the header length, leading to a kernel crash due to skb_under_panic. This crash is triggered by a kernel BUG at net/core/skbuff.c, indicating a critical memory or buffer management error. The vulnerability was discovered through syzbot fuzzing reports, which identified a crash scenario without a direct reproduction method. The fix involves using the constant LL_MAX_HEADER, consistent with other functions in the same source file, to ensure the header length is correctly handled and prevent the crash. This vulnerability affects Linux kernel versions around 6.12.0-rc2 and potentially other versions using the affected netfilter code. The issue is a denial-of-service (DoS) vector caused by a kernel panic triggered by malformed or specially crafted IPv6 packets processed by netfilter's reject mechanism. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution, but the kernel crash can disrupt system availability and network functionality. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-50256 primarily concerns system availability and network reliability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and critical infrastructure, often serving as the backbone for servers, network appliances, and virtualized environments. A successful exploitation could cause kernel panics and system crashes on affected hosts, leading to denial of service. This can disrupt business operations, especially for organizations relying on IPv6 networking and netfilter-based firewall or packet filtering rules. Network devices or servers that reject IPv6 connections using nf_reject_ipv6 are particularly at risk. The vulnerability could be exploited remotely by sending crafted IPv6 packets, potentially from external attackers or malicious insiders. Although no privilege escalation is evident, repeated crashes could degrade service availability, impact incident response, and increase operational costs. In environments with high IPv6 adoption, such as telecom, finance, and cloud services in Europe, the risk is more pronounced. Additionally, the vulnerability may affect containerized or virtualized Linux systems that use netfilter for network policy enforcement. Overall, the threat poses a medium to high operational risk due to potential service interruptions but does not directly compromise confidentiality or integrity.
Mitigation Recommendations
To mitigate CVE-2024-50256, European organizations should: 1) Apply the official Linux kernel patches as soon as they become available, ensuring that the fix using LL_MAX_HEADER is incorporated. 2) If immediate patching is not feasible, consider temporarily disabling or restricting netfilter rules that invoke nf_reject_ipv6, especially those rejecting IPv6 traffic, to reduce exposure. 3) Implement network-level filtering to block or scrutinize suspicious IPv6 packets that could trigger the vulnerability, using upstream firewalls or intrusion prevention systems. 4) Monitor kernel logs and system stability for signs of crashes related to nf_send_reset6 or skb_under_panic, enabling rapid detection and response. 5) Employ kernel live patching solutions where supported to minimize downtime during patch deployment. 6) Review and harden IPv6 network configurations and firewall policies to limit unnecessary IPv6 reject rules. 7) Engage with Linux distribution vendors for timely updates and security advisories. These steps go beyond generic advice by focusing on specific netfilter components and operational controls tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-50256: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50256 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the IPv6 packet rejection functionality (nf_reject_ipv6). The flaw arises in the function nf_send_reset6(), which is responsible for sending TCP reset packets in response to rejected IPv6 connections. The root cause is an improper handling of the network device's hard_header_len field, which can be zero in certain conditions. When this occurs, the function attempts to push an Ethernet header onto a socket buffer (skb) without verifying the header length, leading to a kernel crash due to skb_under_panic. This crash is triggered by a kernel BUG at net/core/skbuff.c, indicating a critical memory or buffer management error. The vulnerability was discovered through syzbot fuzzing reports, which identified a crash scenario without a direct reproduction method. The fix involves using the constant LL_MAX_HEADER, consistent with other functions in the same source file, to ensure the header length is correctly handled and prevent the crash. This vulnerability affects Linux kernel versions around 6.12.0-rc2 and potentially other versions using the affected netfilter code. The issue is a denial-of-service (DoS) vector caused by a kernel panic triggered by malformed or specially crafted IPv6 packets processed by netfilter's reject mechanism. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution, but the kernel crash can disrupt system availability and network functionality. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-50256 primarily concerns system availability and network reliability. Linux is widely deployed across European enterprises, government agencies, cloud providers, and critical infrastructure, often serving as the backbone for servers, network appliances, and virtualized environments. A successful exploitation could cause kernel panics and system crashes on affected hosts, leading to denial of service. This can disrupt business operations, especially for organizations relying on IPv6 networking and netfilter-based firewall or packet filtering rules. Network devices or servers that reject IPv6 connections using nf_reject_ipv6 are particularly at risk. The vulnerability could be exploited remotely by sending crafted IPv6 packets, potentially from external attackers or malicious insiders. Although no privilege escalation is evident, repeated crashes could degrade service availability, impact incident response, and increase operational costs. In environments with high IPv6 adoption, such as telecom, finance, and cloud services in Europe, the risk is more pronounced. Additionally, the vulnerability may affect containerized or virtualized Linux systems that use netfilter for network policy enforcement. Overall, the threat poses a medium to high operational risk due to potential service interruptions but does not directly compromise confidentiality or integrity.
Mitigation Recommendations
To mitigate CVE-2024-50256, European organizations should: 1) Apply the official Linux kernel patches as soon as they become available, ensuring that the fix using LL_MAX_HEADER is incorporated. 2) If immediate patching is not feasible, consider temporarily disabling or restricting netfilter rules that invoke nf_reject_ipv6, especially those rejecting IPv6 traffic, to reduce exposure. 3) Implement network-level filtering to block or scrutinize suspicious IPv6 packets that could trigger the vulnerability, using upstream firewalls or intrusion prevention systems. 4) Monitor kernel logs and system stability for signs of crashes related to nf_send_reset6 or skb_under_panic, enabling rapid detection and response. 5) Employ kernel live patching solutions where supported to minimize downtime during patch deployment. 6) Review and harden IPv6 network configurations and firewall policies to limit unnecessary IPv6 reject rules. 7) Engage with Linux distribution vendors for timely updates and security advisories. These steps go beyond generic advice by focusing on specific netfilter components and operational controls tailored to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.980Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf672
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 1:39:34 PM
Last updated: 8/1/2025, 4:16:38 PM
Views: 8
Related Threats
CVE-2025-9109: Observable Response Discrepancy in Portabilis i-Diario
MediumCVE-2025-9108: Improper Restriction of Rendered UI Layers in Portabilis i-Diario
MediumCVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9106: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.