CVE-2024-56703: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb
AI Analysis
Technical Summary
CVE-2024-56703 is a vulnerability in the Linux kernel's IPv6 routing subsystem, specifically within the fib6_select_path function responsible for selecting the next hop path for IPv6 packets. The issue manifests as a soft lockup caused by an infinite loop during traversal of a multipath circular linked list of routing siblings. This occurs under conditions of high next hop churn, such as in environments where BGP routes are frequently updated, for example, Linux-based edge routers running the 'bird' routing daemon. The root cause is concurrent deletion of linked list nodes on a different CPU core without proper synchronization, leading to corrupted list pointers where nodes point to themselves and reference counts drop to zero. This causes the kernel to enter an infinite loop, triggering a soft lockup detected by the watchdog timer and resulting in a system panic and crash. The fix involves applying Read-Copy-Update (RCU) synchronization primitives to safely manage concurrent access and deletion of fib6_siblings nodes, preventing the infinite loop condition. A test script has been developed that reproduces the issue by continuously updating the routing table while generating heavy IPv6 traffic, reliably causing the soft lockup within minutes. The vulnerability affects Linux kernel versions identified by the provided commit hashes (all identical in this report), and no CVSS score has been assigned yet. No known exploits are currently reported in the wild. The kernel log trace included shows the panic occurring at fib6_select_path, confirming the infinite loop during IPv6 route selection under heavy multipath and next hop update conditions.
Potential Impact
For European organizations, especially those operating large-scale network infrastructure such as ISPs, cloud providers, data centers, and enterprises with complex IPv6 routing environments, this vulnerability poses a significant risk to network availability and reliability. Edge routers and other network devices running Linux kernels vulnerable to this issue may experience system panics and crashes under high route update loads, leading to network outages or degraded service. This can disrupt critical business operations, impact service level agreements, and cause cascading failures in dependent systems. Given the increasing adoption of IPv6 in Europe and the use of Linux-based routing platforms, the vulnerability could affect a broad range of organizations managing dynamic BGP routing with multipath configurations. While the vulnerability does not appear to allow direct code execution or privilege escalation, the denial-of-service impact on network infrastructure is severe. The lack of known exploits reduces immediate risk, but the reproducibility of the issue and its presence in core kernel networking code make timely patching essential to maintain operational stability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to incorporate the patch that applies RCU synchronization to the fib6_select_path function and related code managing fib6_siblings. Since the vulnerability arises under conditions of high next hop churn and heavy IPv6 traffic, organizations can temporarily mitigate risk by reducing the frequency of BGP route updates where feasible and limiting multipath configurations that cause rapid linked list modifications. Network administrators should monitor kernel logs for signs of soft lockups or watchdog timer panics related to IPv6 routing. Deploying kernel live patching solutions where available can reduce downtime during patch application. Additionally, testing the patch in staging environments that simulate high route churn and IPv6 traffic loads is recommended to ensure stability before production deployment. Network design reviews to minimize unnecessary route flapping and optimize BGP configurations can also reduce exposure. Finally, organizations should maintain robust backup and recovery procedures to quickly restore affected systems in case of crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-56703: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb
AI-Powered Analysis
Technical Analysis
CVE-2024-56703 is a vulnerability in the Linux kernel's IPv6 routing subsystem, specifically within the fib6_select_path function responsible for selecting the next hop path for IPv6 packets. The issue manifests as a soft lockup caused by an infinite loop during traversal of a multipath circular linked list of routing siblings. This occurs under conditions of high next hop churn, such as in environments where BGP routes are frequently updated, for example, Linux-based edge routers running the 'bird' routing daemon. The root cause is concurrent deletion of linked list nodes on a different CPU core without proper synchronization, leading to corrupted list pointers where nodes point to themselves and reference counts drop to zero. This causes the kernel to enter an infinite loop, triggering a soft lockup detected by the watchdog timer and resulting in a system panic and crash. The fix involves applying Read-Copy-Update (RCU) synchronization primitives to safely manage concurrent access and deletion of fib6_siblings nodes, preventing the infinite loop condition. A test script has been developed that reproduces the issue by continuously updating the routing table while generating heavy IPv6 traffic, reliably causing the soft lockup within minutes. The vulnerability affects Linux kernel versions identified by the provided commit hashes (all identical in this report), and no CVSS score has been assigned yet. No known exploits are currently reported in the wild. The kernel log trace included shows the panic occurring at fib6_select_path, confirming the infinite loop during IPv6 route selection under heavy multipath and next hop update conditions.
Potential Impact
For European organizations, especially those operating large-scale network infrastructure such as ISPs, cloud providers, data centers, and enterprises with complex IPv6 routing environments, this vulnerability poses a significant risk to network availability and reliability. Edge routers and other network devices running Linux kernels vulnerable to this issue may experience system panics and crashes under high route update loads, leading to network outages or degraded service. This can disrupt critical business operations, impact service level agreements, and cause cascading failures in dependent systems. Given the increasing adoption of IPv6 in Europe and the use of Linux-based routing platforms, the vulnerability could affect a broad range of organizations managing dynamic BGP routing with multipath configurations. While the vulnerability does not appear to allow direct code execution or privilege escalation, the denial-of-service impact on network infrastructure is severe. The lack of known exploits reduces immediate risk, but the reproducibility of the issue and its presence in core kernel networking code make timely patching essential to maintain operational stability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to incorporate the patch that applies RCU synchronization to the fib6_select_path function and related code managing fib6_siblings. Since the vulnerability arises under conditions of high next hop churn and heavy IPv6 traffic, organizations can temporarily mitigate risk by reducing the frequency of BGP route updates where feasible and limiting multipath configurations that cause rapid linked list modifications. Network administrators should monitor kernel logs for signs of soft lockups or watchdog timer panics related to IPv6 routing. Deploying kernel live patching solutions where available can reduce downtime during patch application. Additionally, testing the patch in staging environments that simulate high route churn and IPv6 traffic loads is recommended to ensure stability before production deployment. Network design reviews to minimize unnecessary route flapping and optimize BGP configurations can also reduce exposure. Finally, organizations should maintain robust backup and recovery procedures to quickly restore affected systems in case of crashes.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.856Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde5a0
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 7:10:26 AM
Last updated: 8/16/2025, 3:19:48 AM
Views: 16
Related Threats
CVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighCVE-2025-55299: CWE-521: Weak Password Requirements in 7ritn VaulTLS
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.