LiveActive security incident?Get immediate response
CVE Record

CVE-2024-36902: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

In the Linux kernel, the following vulnerability has been resolved: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() syzbot is able to trigger the following crash [1], caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline] RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline] ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 ip6_route_output include/net/ip6_route.h:93 [inline] ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-36902 is a Linux kernel bug that can crash the kernel when IPv6 routing code dereferences a missing pointer. The public record shows it was found by syzbot and fixed in Linux stable commits. The main business concern is system availability, not confirmed data theft or remote compromise.

Executive priority

Treat as a routine-to-priority availability fix for Linux fleets, especially systems with strict uptime requirements. There is no sourced evidence of active exploitation, but kernel crashes can disrupt production. Patch through normal kernel maintenance windows unless vendor advisories indicate higher product-specific urgency.

Technical view

The flaw is in IPv6 fib6_rules handling: fib6_rule_action() used ip6_dst_idev() unsafely even though it can return NULL. The provided crash trace reaches the bug through SCTP IPv6 connect and routing lookup paths. Linux stable commits add the missing NULL check. No CVSS score or CWE is provided in the bundle.

Likely exposure

Exposure is most relevant to Linux systems running affected kernel branches with IPv6 networking code available. The CVE record lists Linux as affected across multiple kernel lines, with fixes in stable commits. Debian LTS, NetApp, and Siemens references indicate downstream vendor tracking, but asset-specific applicability requires vendor package or appliance confirmation.

Exploitation context

The source describes a syzbot-triggered kernel crash, not real-world exploitation. CISA KEV status is false in the bundle, and no cited source states active exploitation. The trace indicates a locally initiated connect path, but the provided evidence does not fully establish required privileges or remote triggerability.

Researcher notes

The affected-version data in the CVE bundle is broad and should be interpreted through upstream stable commits and downstream backports. The crash was observed on a syzkaller test kernel. Avoid assuming exploitability beyond denial-of-service without additional vendor or kernel maintainer analysis.

Mitigation direction

  • Apply kernel stable or distribution updates that include the linked fib6_rules fix.
  • Prioritize Debian LTS kernel updates where Debian systems are in scope.
  • Check NetApp and Siemens advisories for affected appliance-specific guidance.
  • If patching is delayed, follow vendor guidance; no standalone workaround is named in the sources.

Validation and detection

  • Inventory running Linux kernel versions across servers, appliances, and embedded systems.
  • Confirm the running kernel includes the relevant stable commit or vendor backport.
  • Review distribution security notices for package versions that remediate CVE-2024-36902.
  • Monitor kernel logs for crashes referencing fib6_rule_action, fib6_rules, or ip6_dst_idev.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-36902 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
14Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0, 5e5f3f0f801321078c897a5de0b4b4304f234da0unaffected
LinuxLinux2.6.26, 0, 4.19.314, 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31, 6.8.10, 6.9affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.