{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()",
    "id" : "2320268",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320268"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()\nsyzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending\ngarbage on the four reserved tcp bits (th->res1)\nUse skb_put_zero() to clear the whole TCP header,\nas done in nf_reject_ip_tcphdr_put()\nBUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\nnf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\nnf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\nnft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\nexpr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\nnft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\nnft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\nnf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\nnf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\nnf_hook include/linux/netfilter.h:269 [inline]\nNF_HOOK include/linux/netfilter.h:312 [inline]\nipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n__netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775\nprocess_backlog+0x4ad/0xa50 net/core/dev.c:6108\n__napi_poll+0xe7/0x980 net/core/dev.c:6772\nnapi_poll net/core/dev.c:6841 [inline]\nnet_rx_action+0xa5a/0x19b0 net/core/dev.c:6963\nhandle_softirqs+0x1ce/0x800 kernel/softirq.c:554\n__do_softirq+0x14/0x1a kernel/softirq.c:588\ndo_softirq+0x9a/0x100 kernel/softirq.c:455\n__local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382\nlocal_bh_enable include/linux/bottom_half.h:33 [inline]\nrcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]\n__dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450\ndev_queue_xmit include/linux/netdevice.h:3105 [inline]\nneigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141\n__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\nip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x356/0x620 net/ipv6/ip6_output.c:247\ndst_output include/net/dst.h:450 [inline]\nNF_HOOK include/linux/netfilter.h:314 [inline]\nip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366\ninet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135\n__tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466\ntcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\ntcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143\ntcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333\n__inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679\ninet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750\n__sys_connect_file net/socket.c:2061 [inline]\n__sys_connect+0x606/0x690 net/socket.c:2078\n__do_sys_connect net/socket.c:2088 [inline]\n__se_sys_connect net/socket.c:2085 [inline]\n__x64_sys_connect+0x91/0xe0 net/socket.c:2085\nx64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nUninit was stored to memory at:\nnf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249\nnf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\nnft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\nexpr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\nnft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\nnft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\nnf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\nnf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\nnf_hook include/linux/netfilter.h:269 [inline]\nNF_HOOK include/linux/netfilter.h:312 [inline]\nipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n__netif_receive_skb_one_core\n---truncated---", "A flaw was found in the Netfilter and IPV6 functionality in the Linux kernel leading to a leak of 4 random bits. This issue may allow a remote user to preform an unauthorized read of random bits from the server." ],
  "statement" : "This issue is considered to be a moderate impact flaw, as the leaked data is a tcp stack and not the whole kernel. It does not seem to affect the availability. A remote user can potentially read 4 bits of random data from the server memory, but has no control of what is in the 4 bits and cannot bring any harm to the server from it.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47685\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47685\nhttps://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-47685-af1e@gregkh/T" ],
  "name" : "CVE-2024-47685",
  "mitigation" : {
    "value" : "If IPV6 or netfilter is not being used, then the issue is not applicable.\nIn order to trigger this issue, the local user needs to enable Netfilter and IPV6 (that requires the ability to create user/net namespaces).\nOn non-containerized deployments of Red Hat Enterprise Linux 8, you can disable user namespaces by setting user.max_user_namespaces to 0:\n# echo \"user.max_user_namespaces=0\" > /etc/sysctl.d/userns.conf\n# sysctl -p /etc/sysctl.d/userns.conf\nOn containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as this functionality needs to be enabled.",
    "lang" : "en:us"
  },
  "csaw" : false
}