HIGH Published 2025-02-27

ipv6 mcast UAF

CVE-2025-21759

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker could potentially trigger a use-after-free condition in the IPv6 multicast code by causing concurrent access to network namespace structures during IGMP message sending. This could lead to kernel crashes or potentially arbitrary code execution with kernel privileges.

Affectednet/ipv6/mcast.c

Vulnerability analysis

Root Cause: The igmp6_send() function accesses the network namespace pointer (net) and socket (sk) without proper RCU protection. The function can be called without RTNL or RCU locks held, creating a race condition where the network namespace or socket could be freed while being accessed, leading to a use-after-free vulnerability.

Attack Surface: This vulnerability affects IPv6 multicast functionality and can be triggered through network operations that send IGMP messages. The attack surface includes any code path that calls igmp6_send() without proper locking, which could be triggered by network events or user-space operations involving IPv6 multicast.

Fix Mechanism: The patch extends RCU protection around the entire function to safely access the network namespace pointer via dev_net_rcu(dev). It also changes the memory allocation strategy from sock_alloc_send_skb() to alloc_skb() followed by skb_set_owner_w() to avoid sleeping allocations within the RCU critical section, since the IGMP socket uses GFP_KERNEL allocations.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.16	`0bf8e2f37686`
6.13	6.13.4	`8e92d6a413fe`
6.6	6.6.79	`81b25a07ebf5`
mainline	6.14	`087c1faa594f`