Login Sign Up

CVE-2024-5564

8.1 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in libndp allows local attackers to crash or potentially execute arbitrary code on systems running NetworkManager by sending malformed IPv6 router advertisement packets. This affects systems using libndp for IPv6 neighbor discovery, primarily Linux distributions with NetworkManager enabled. The vulnerability stems from improper validation of route length information in router advertisements.

💻 Affected Systems

Products:
  • libndp
  • NetworkManager
Versions: libndp versions before 1.9
Operating Systems: Linux distributions using libndp (RHEL, Fedora, CentOS, Ubuntu, Debian, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Systems must have IPv6 enabled and NetworkManager running. Systems without NetworkManager or with IPv6 disabled are not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to root access, system compromise, or persistent backdoor installation

🟠

Likely Case

Denial of service (NetworkManager crash) or limited code execution within NetworkManager context

🟢

If Mitigated

Denial of service only if exploit attempts are detected and blocked

🌐 Internet-Facing: LOW (requires local network access or IPv6 router advertisement spoofing capability)
🏢 Internal Only: MEDIUM (local attackers on the same network segment can exploit without authentication)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires sending crafted IPv6 router advertisements, which can be done from the local network without authentication. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libndp 1.9 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4618

Restart Required: Yes

Instructions:

1. Update libndp package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update libndp'. 3. For Ubuntu/Debian: 'apt update && apt upgrade libndp'. 4. Restart NetworkManager service: 'systemctl restart NetworkManager'.

🔧 Temporary Workarounds

Disable IPv6 Router Advertisement Processing

linux

Configure NetworkManager to ignore router advertisements

nmcli connection modify <connection-name> ipv6.ra-timeout 0
nmcli connection down <connection-name> && nmcli connection up <connection-name>

Disable IPv6 Entirely

linux

Completely disable IPv6 to prevent exploitation

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
Add to /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6 = 1

🧯 If You Can't Patch

  • Implement network segmentation to limit who can send router advertisements
  • Use host-based firewalls to block incoming IPv6 router advertisements from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check libndp version: 'rpm -q libndp' (RHEL) or 'dpkg -l libndp' (Debian/Ubuntu). If version is below 1.9, system is vulnerable.

Check Version:

rpm -q libndp || dpkg -l | grep libndp || libndp --version

Verify Fix Applied:

Verify libndp version is 1.9 or higher and NetworkManager is running without crashes after applying updates.

📡 Detection & Monitoring

Log Indicators:

  • NetworkManager crash logs in journalctl
  • Segmentation fault errors in system logs related to NetworkManager or libndp

Network Indicators:

  • Unusual IPv6 router advertisement packets with malformed route options
  • Spoofed router advertisements from unexpected sources

SIEM Query:

source="journald" AND (process="NetworkManager" OR process="libndp") AND ("segmentation fault" OR "buffer overflow" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2024-5564
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: May 31, 2024
Last Updated: July 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5564, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)