HIGH
ipv6 Route GC UAF
CVE-2023-6200
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.5HIGH
01Description
A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.
02KernelScan AI Analysis
Risk summary
An unauthenticated attacker on an adjacent network can send specially crafted ICMPv6 router advertisement packets to trigger a use-after-free condition in the IPv6 routing subsystem, potentially leading to arbitrary code execution. This affects any system with IPv6 enabled that processes router advertisements from the local network segment.
Vulnerability analysis
Root Cause: The original commit 3dec89b14d37 introduced race conditions in IPv6 route garbage collection by managing expired routes with a separated list. The race occurs between garbage collection start, adding entries to the GC list, and setting timer values on fib6_info structures, leading to use-after-free conditions when route expiration is managed concurrently.
Attack Surface: Network-adjacent attackers can trigger this vulnerability by sending ICMPv6 router advertisement packets, which can cause route table modifications that interact with the racy garbage collection code. The attack requires adjacent network access but no authentication.
Fix Mechanism: The patch reverts the problematic commit entirely, removing the separated GC list approach and returning to the previous garbage collection mechanism. It removes the gc_link field from fib6_info structures and the tb6_gc_hlist from fib6_table, eliminating the race-prone list management that caused the UAF condition.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| mainline | 6.7 | dade3f6a1e4e |