In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes). pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to: skb_set_mac_header(skb, -skb->mac_len); will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head. A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv. Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards.
The ipv6_rpl_srh_rcv() function decompresses the SRH header, replaces the next segment in the ipv6_hdr->daddr field, then recompresses the header and pushes it along with the IPv6 header. The recompressed header can be larger than the received one (even by +8 bytes) when the replacement reduces the common prefix length. The pskb_expand_head() call was conditional on segments_left == 0, so for earlier segments the push operation consumed unverified headroom. When skb_push() leaves less than skb->mac_len bytes before the data, the mac_header field (u16 type) overflows to a value around ~65530, and the subsequent memmove() call writes mac_len bytes approximately 64 KiB past the skb->head pointer — which KASAN detects as a 14-byte OOB write in ipv6_rthdr_rcv.
An attacker can cause out-of-bounds write of data in kernel memory, potentially leading to memory corruption, privilege escalation, or remote code execution (RCE) in the kernel context of the operating system.
Patches available from the manufacturer should be applied according to the references — fix commits available at: 4babc2d9fda2, 7398ebefbfd4, 8e8be63465a5, 9e6bf146b559, c261d07a8057 in the git.kernel.org/stable repository. It is recommended to update the kernel to a version containing the indicated patches. As a workaround, you may consider disabling IPv6 RPL routing support if this feature is not required in your environment.
Linux kernel with IPv6 RPL Source Routing support (ipv6_rpl_srh_rcv); exact versions indicated in manufacturer references (commits available in the stable git.kernel.org repository)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux7.15.11 – 5.15.209 (bez)5.16 – 6.1.175 (bez)6.2 – 6.6.140 (bez)5.7 – 5.10.258 (bez)6.13 – 6.18.27 (bez)6.19 – 7.0.4 (bez)6.7 – 6.12.86 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...