CVE-2024-47685 – This CVE-2024-47685 is a Linux kernel vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-47685?

CVE-2024-47685 has a CVSS score of 9.1 (CRITICAL). This CVE-2024-47685 is a Linux kernel vulnerability in the netfilter IPv6 rejection module where uninitialized memory from TCP header reserved bits could be leaked in reset packets. This affects systems using nftables reject rules with IPv6 traffic. The vulnerability allows information disclosure of kernel memory contents.

📋 TL;DR

This CVE-2024-47685 is a Linux kernel vulnerability in the netfilter IPv6 rejection module where uninitialized memory from TCP header reserved bits could be leaked in reset packets. This affects systems using nftables reject rules with IPv6 traffic. The vulnerability allows information disclosure of kernel memory contents.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected kernel versions not specified in CVE, but fix commits indicate recent kernels before patches were applied

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using nftables with reject rules for IPv6 traffic. Systems not using IPv6 or not using netfilter reject rules are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory disclosure could reveal sensitive information including cryptographic keys, process memory, or other privileged data to network attackers.

🟠

Likely Case

Limited information disclosure of kernel stack memory in TCP reset packets sent by netfilter reject rules.

🟢

If Mitigated

With proper network segmentation and firewall rules limiting IPv6 traffic, impact is minimal as attackers need to trigger netfilter reject rules.

🌐 Internet-Facing: MEDIUM - Attackers can trigger this remotely if they can send IPv6 packets that trigger netfilter reject rules.

🏢 Internal Only: LOW - Requires internal network access and ability to trigger specific netfilter reject rules.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires ability to send IPv6 packets that trigger netfilter reject rules. The vulnerability was found by syzbot fuzzing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 10210658f827ad45061581cbfc05924b723e8922, 7a7b5a27c53b55e91eecf646d1b204e73fa4af93, 7bcbc4cda777d26c88500d973fad0d497fc8a82e, 7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2, or 872eca64c3267dbc5836b715716fc6c03a18eda7

Vendor Advisory: https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable IPv6 netfilter reject rules

linux

Remove or disable nftables rules that use reject action for IPv6 traffic

nft list ruleset | grep reject
nft delete rule [family] [table] [chain] [handle X]

Disable IPv6 entirely

linux

Completely disable IPv6 if not needed

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

🧯 If You Can't Patch

Implement network segmentation to limit IPv6 traffic to trusted sources only
Use external firewalls to filter IPv6 traffic before it reaches vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check if system uses nftables with reject rules for IPv6 and has unpatched kernel. Command: nft list ruleset | grep -i reject && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits and test that IPv6 reject rules no longer leak uninitialized memory

📡 Detection & Monitoring

Log Indicators:

Kernel logs showing KMSAN warnings about uninit-value in nf_reject_ip6_tcphdr_put

Network Indicators:

TCP reset packets with unusual values in reserved bits field from netfilter systems

SIEM Query:

source="kernel" AND "uninit-value" AND "nf_reject_ip6_tcphdr_put"

📊 Metadata

CVE ID: CVE-2024-47685

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-908

Published: October 21, 2024

Last Updated: November 18, 2025

🔗 References

https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922 Patch
https://git.kernel.org/stable/c/7a7b5a27c53b55e91eecf646d1b204e73fa4af93 Patch
https://git.kernel.org/stable/c/7bcbc4cda777d26c88500d973fad0d497fc8a82e Patch
https://git.kernel.org/stable/c/7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2 Patch
https://git.kernel.org/stable/c/872eca64c3267dbc5836b715716fc6c03a18eda7 Patch
https://git.kernel.org/stable/c/9c778fe48d20ef362047e3376dee56d77f8500d4 Patch
https://git.kernel.org/stable/c/af4b8a704f26f38310655bad67fd8096293275a2 Patch
https://git.kernel.org/stable/c/dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5 Patch
https://git.kernel.org/stable/c/fbff87d682e57ddbbe82abf6d0a1a4a36a98afcd Patch
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47685, you might also want to check these: