CVE-2024-56647: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: <IRQ> ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it.
AI Analysis
Technical Summary
CVE-2024-56647 is a vulnerability identified in the Linux kernel affecting the network stack, specifically related to ICMP (Internet Control Message Protocol) host relookup when IPsec (xfrm) is enabled. The issue arises from a failure in the ARP (Address Resolution Protocol) link handling that triggers an internal kernel warning function ip_rt_bug, which indicates an inconsistency or bug in the IP routing subsystem. The vulnerability manifests when ICMP error messages generated by locally produced packets undergo route lookups involving xfrm policies. Normally, for locally generated packets, the output route device is the loopback interface, and xfrm relookup is not required. However, due to this flaw, the kernel incorrectly attempts an xfrm relookup on loopback interfaces, leading to a route inconsistency (dst->out = ip_rt_bug) and potentially causing kernel warnings or crashes. The vulnerability can be reproduced by setting up xfrm policies and virtual Ethernet devices, then sending ICMP packets that trigger the faulty relookup logic. The root cause is that the kernel does not skip the ICMP relookup for locally generated packets on loopback interfaces, which is addressed by the patch that disables xfrm relookup on loopback (net.ipv4.conf.lo.disable_xfrm = 1). This vulnerability affects Linux kernel versions around 6.12.0-rc6 and possibly others in the same development cycle. While no known exploits are reported in the wild, the issue could lead to denial of service (DoS) conditions by crashing or destabilizing the kernel networking stack when triggered. The vulnerability is technical and requires specific network configurations (xfrm policies and ICMP traffic) to be exploited, which limits its attack surface but does not eliminate risk in environments using IPsec on Linux systems.
Potential Impact
For European organizations, the impact of CVE-2024-56647 could be significant in environments relying on Linux servers or devices with IPsec (xfrm) enabled for secure communications. Many enterprises, government agencies, and critical infrastructure providers in Europe use Linux-based systems for networking, VPN gateways, and secure communications. Exploitation of this vulnerability could cause kernel crashes or network stack instability, leading to denial of service conditions that disrupt business operations, secure communications, or critical services. This is particularly concerning for sectors such as finance, telecommunications, healthcare, and government, where network reliability and security are paramount. Although exploitation requires specific conditions, targeted attackers or malware could leverage this flaw to disrupt services or cause outages. Additionally, the vulnerability could be used as part of a multi-stage attack to weaken system stability before further compromise. The lack of known exploits in the wild suggests limited current threat, but the presence of a patch indicates the need for timely remediation to prevent future exploitation. Organizations using Linux kernels with IPsec enabled should consider this vulnerability a moderate risk that could escalate if combined with other attack vectors.
Mitigation Recommendations
To mitigate CVE-2024-56647, European organizations should: 1) Apply the official Linux kernel patches that address the ICMP host relookup issue and disable xfrm relookup on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). 2) Review and audit IPsec (xfrm) configurations to ensure they follow best practices and minimize unnecessary complexity that could trigger the vulnerability. 3) Monitor kernel logs for warnings related to ip_rt_bug or ICMP route lookup failures as early indicators of exploitation attempts or instability. 4) Implement network segmentation and strict access controls to limit exposure of vulnerable Linux systems to untrusted networks or users. 5) Use kernel live patching solutions where possible to apply fixes without downtime, especially in critical production environments. 6) Conduct vulnerability scanning and penetration testing focused on network stack and IPsec configurations to identify potential exploitation paths. 7) Maintain up-to-date backups and incident response plans to quickly recover from any denial of service or system crashes caused by exploitation attempts. These steps go beyond generic advice by focusing on configuration review, monitoring, and operational readiness specific to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-56647: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: <IRQ> ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it.
AI-Powered Analysis
Technical Analysis
CVE-2024-56647 is a vulnerability identified in the Linux kernel affecting the network stack, specifically related to ICMP (Internet Control Message Protocol) host relookup when IPsec (xfrm) is enabled. The issue arises from a failure in the ARP (Address Resolution Protocol) link handling that triggers an internal kernel warning function ip_rt_bug, which indicates an inconsistency or bug in the IP routing subsystem. The vulnerability manifests when ICMP error messages generated by locally produced packets undergo route lookups involving xfrm policies. Normally, for locally generated packets, the output route device is the loopback interface, and xfrm relookup is not required. However, due to this flaw, the kernel incorrectly attempts an xfrm relookup on loopback interfaces, leading to a route inconsistency (dst->out = ip_rt_bug) and potentially causing kernel warnings or crashes. The vulnerability can be reproduced by setting up xfrm policies and virtual Ethernet devices, then sending ICMP packets that trigger the faulty relookup logic. The root cause is that the kernel does not skip the ICMP relookup for locally generated packets on loopback interfaces, which is addressed by the patch that disables xfrm relookup on loopback (net.ipv4.conf.lo.disable_xfrm = 1). This vulnerability affects Linux kernel versions around 6.12.0-rc6 and possibly others in the same development cycle. While no known exploits are reported in the wild, the issue could lead to denial of service (DoS) conditions by crashing or destabilizing the kernel networking stack when triggered. The vulnerability is technical and requires specific network configurations (xfrm policies and ICMP traffic) to be exploited, which limits its attack surface but does not eliminate risk in environments using IPsec on Linux systems.
Potential Impact
For European organizations, the impact of CVE-2024-56647 could be significant in environments relying on Linux servers or devices with IPsec (xfrm) enabled for secure communications. Many enterprises, government agencies, and critical infrastructure providers in Europe use Linux-based systems for networking, VPN gateways, and secure communications. Exploitation of this vulnerability could cause kernel crashes or network stack instability, leading to denial of service conditions that disrupt business operations, secure communications, or critical services. This is particularly concerning for sectors such as finance, telecommunications, healthcare, and government, where network reliability and security are paramount. Although exploitation requires specific conditions, targeted attackers or malware could leverage this flaw to disrupt services or cause outages. Additionally, the vulnerability could be used as part of a multi-stage attack to weaken system stability before further compromise. The lack of known exploits in the wild suggests limited current threat, but the presence of a patch indicates the need for timely remediation to prevent future exploitation. Organizations using Linux kernels with IPsec enabled should consider this vulnerability a moderate risk that could escalate if combined with other attack vectors.
Mitigation Recommendations
To mitigate CVE-2024-56647, European organizations should: 1) Apply the official Linux kernel patches that address the ICMP host relookup issue and disable xfrm relookup on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). 2) Review and audit IPsec (xfrm) configurations to ensure they follow best practices and minimize unnecessary complexity that could trigger the vulnerability. 3) Monitor kernel logs for warnings related to ip_rt_bug or ICMP route lookup failures as early indicators of exploitation attempts or instability. 4) Implement network segmentation and strict access controls to limit exposure of vulnerable Linux systems to untrusted networks or users. 5) Use kernel live patching solutions where possible to apply fixes without downtime, especially in critical production environments. 6) Conduct vulnerability scanning and penetration testing focused on network stack and IPsec configurations to identify potential exploitation paths. 7) Maintain up-to-date backups and incident response plans to quickly recover from any denial of service or system crashes caused by exploitation attempts. These steps go beyond generic advice by focusing on configuration review, monitoring, and operational readiness specific to the nature of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.840Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde464
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:39:52 AM
Last updated: 8/14/2025, 12:40:58 AM
Views: 15
Related Threats
CVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.