{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-12T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors",
    "id" : "2297541",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297541"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n[74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n[74830.655633] #PF: supervisor read access in kernel mode\n[74830.657888] #PF: error_code(0x0000) - not-present page\n[74830.659500] PGD 0 P4D 0\n[74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n...\n[74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n[74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n...\n[74830.689725] Call Trace:\n[74830.690402]  <IRQ>\n[74830.690953]  ? show_trace_log_lvl+0x1c4/0x2df\n[74830.692020]  ? show_trace_log_lvl+0x1c4/0x2df\n[74830.693095]  ? ipt_do_table+0x286/0x710 [ip_tables]\n[74830.694275]  ? __die_body.cold+0x8/0xd\n[74830.695205]  ? page_fault_oops+0xac/0x140\n[74830.696244]  ? exc_page_fault+0x62/0x150\n[74830.697225]  ? asm_exc_page_fault+0x22/0x30\n[74830.698344]  ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n[74830.699540]  ipt_do_table+0x286/0x710 [ip_tables]\n[74830.700758]  ? ip6_route_input+0x19d/0x240\n[74830.701752]  nf_hook_slow+0x3f/0xb0\n[74830.702678]  input_action_end_dx4+0x19b/0x1e0\n[74830.703735]  ? input_action_end_t+0xe0/0xe0\n[74830.704734]  seg6_local_input_core+0x2d/0x60\n[74830.705782]  lwtunnel_input+0x5b/0xb0\n[74830.706690]  __netif_receive_skb_one_core+0x63/0xa0\n[74830.707825]  process_backlog+0x99/0x140\n[74830.709538]  __napi_poll+0x2c/0x160\n[74830.710673]  net_rx_action+0x296/0x350\n[74830.711860]  __do_softirq+0xcb/0x2ac\n[74830.713049]  do_softirq+0x63/0x90\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\nstatic bool\nrpfilter_is_loopback(const struct sk_buff *skb,\nconst struct net_device *in)\n{\n// in is NULL\nreturn skb->pkt_type == PACKET_LOOPBACK ||\nin->flags & IFF_LOOPBACK;\n}", "A vulnerability was found in the Linux kernel's segment routing (seg6) component in the input_action_end_dx4() and input_action_end_dx6() functions, where improper parameter passing to the NF_HOOK() can occur, which leads to a NULL pointer dereference when a NULL input device is provided, resulting in a kernel crash." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40957\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40957\nhttps://lore.kernel.org/linux-cve-announce/2024071224-CVE-2024-40957-94a5@gregkh/T" ],
  "name" : "CVE-2024-40957",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}