CVE-2024-56646
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's IPv6 implementation allows local attackers to cause a kernel panic (denial of service) by triggering a specific code path in modify_prefix_route(). This affects Linux systems with IPv6 enabled, requiring local access to exploit.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical or remote console access to restore functionality.
Likely Case
Local denial of service through kernel panic, disrupting services on affected systems.
If Mitigated
Minimal impact if proper access controls prevent local users from triggering the vulnerable code path.
🎯 Exploit Status
Exploitation requires local access and ability to trigger specific IPv6 route modification operations. The vulnerability was discovered through syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel versions with commits 01f95357e47219a9c4b29e177b717edbfab721b4, 90f7d995b861fd77ae4885cc58e26a6a4e5ccdb9, a747e02430dfb3657141f99aa6b09331283fa493
Vendor Advisory: https://git.kernel.org/stable/c/01f95357e47219a9c4b29e177b717edbfab721b4
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Check kernel version with 'uname -r'. 3. Reboot system after kernel update. 4. Verify fix with 'uname -r' showing patched version.
🔧 Temporary Workarounds
Disable IPv6
linuxCompletely disable IPv6 functionality to prevent exploitation
echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf
sysctl -p
Restrict IPv6 route modifications
linuxUse kernel capabilities or SELinux/AppArmor to restrict IPv6 route modification operations
# Configure appropriate SELinux/AppArmor policies to restrict netlink socket operations
# Use capabilities to limit CAP_NET_ADMIN for non-privileged users
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from executing IPv6 route modification commands
- Monitor for kernel panic events and implement high availability/failover for critical systems
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and compare against affected versions. Check if IPv6 is enabled with 'ip -6 addr show' or 'cat /proc/sys/net/ipv6/conf/all/disable_ipv6' (0 means enabled).Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched with 'uname -r' showing version beyond vulnerable commits. Check git commit history for fix commits.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- NULL pointer dereference errors mentioning modify_prefix_route
- IPv6 route modification failures
Network Indicators:
- Sudden loss of IPv6 connectivity on affected systems
- System becoming unresponsive to network requests
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "general protection fault" OR "modify_prefix_route")