{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-40957",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-07-12T12:17:45.593Z",
        "datePublished": "2024-07-12T12:31:59.747Z",
        "dateUpdated": "2024-09-11T17:34:24.035Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-07-15T06:52:11.461Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n    [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n    [74830.655633] #PF: supervisor read access in kernel mode\n    [74830.657888] #PF: error_code(0x0000) - not-present page\n    [74830.659500] PGD 0 P4D 0\n    [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n    ...\n    [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n    [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n    ...\n    [74830.689725] Call Trace:\n    [74830.690402]  <IRQ>\n    [74830.690953]  ? show_trace_log_lvl+0x1c4/0x2df\n    [74830.692020]  ? show_trace_log_lvl+0x1c4/0x2df\n    [74830.693095]  ? ipt_do_table+0x286/0x710 [ip_tables]\n    [74830.694275]  ? __die_body.cold+0x8/0xd\n    [74830.695205]  ? page_fault_oops+0xac/0x140\n    [74830.696244]  ? exc_page_fault+0x62/0x150\n    [74830.697225]  ? asm_exc_page_fault+0x22/0x30\n    [74830.698344]  ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n    [74830.699540]  ipt_do_table+0x286/0x710 [ip_tables]\n    [74830.700758]  ? ip6_route_input+0x19d/0x240\n    [74830.701752]  nf_hook_slow+0x3f/0xb0\n    [74830.702678]  input_action_end_dx4+0x19b/0x1e0\n    [74830.703735]  ? input_action_end_t+0xe0/0xe0\n    [74830.704734]  seg6_local_input_core+0x2d/0x60\n    [74830.705782]  lwtunnel_input+0x5b/0xb0\n    [74830.706690]  __netif_receive_skb_one_core+0x63/0xa0\n    [74830.707825]  process_backlog+0x99/0x140\n    [74830.709538]  __napi_poll+0x2c/0x160\n    [74830.710673]  net_rx_action+0x296/0x350\n    [74830.711860]  __do_softirq+0xcb/0x2ac\n    [74830.713049]  do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n    static bool\n    rpfilter_is_loopback(const struct sk_buff *skb,\n          \t       const struct net_device *in)\n    {\n            // in is NULL\n            return skb->pkt_type == PACKET_LOOPBACK ||\n          \t in->flags & IFF_LOOPBACK;\n    }"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/ipv6/seg6_local.c"
                    ],
                    "versions": [
                        {
                            "version": "7a3f5b0de364",
                            "lessThan": "af90e3d73dc4",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "7a3f5b0de364",
                            "lessThan": "ec4d970b597e",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "7a3f5b0de364",
                            "lessThan": "d62df86c1720",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "7a3f5b0de364",
                            "lessThan": "561475d53aa7",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "7a3f5b0de364",
                            "lessThan": "9a3bc8d16e0a",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/ipv6/seg6_local.c"
                    ],
                    "versions": [
                        {
                            "version": "5.15",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "5.15",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.162",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.1.96",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.36",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.9.7",
                            "lessThanOrEqual": "6.9.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.10",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d"
                },
                {
                    "url": "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4"
                },
                {
                    "url": "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6"
                },
                {
                    "url": "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c"
                },
                {
                    "url": "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779"
                }
            ],
            "title": "seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T04:39:55.923Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            },
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2024-40957",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-09-10T17:03:38.761289Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-11T17:34:24.035Z"
                }
            }
        ]
    }
}