In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix invalid unregister error path The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() with genl_unregister_family() in this error path.
When the CONFIG_IPV6_SEG6_LWTUNNEL option is not defined and the seg6_hmac_init() function fails, the error handling path in seg6_init() does not call genl_unregister_family(). This causes an incorrect internal kernel state — resources are not properly freed or unregistered. The bug has existed since commit 46738b1317e1, and the subsequent change (5559cea2d5aa) replaced unregister_pernet_subsys() with a call to genl_unregister_family() in this path, but did not fix the original problem of missing this function call under specific conditions.
An attacker or incorrect system state can lead to use-after-free or NULL pointer dereference in kernel space, which may result in privilege escalation, disclosure of sensitive data, or system failure (denial of service).
Patches available from the vendor should be applied in accordance with references — fixes have been published in stable Linux kernel branches and are available at the addresses indicated in the CVE references section.
Linux Kernel — versions indicated in vendor references (patches available in stable branches referenced by git.kernel.org)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux4.10 – 4.19.316 (bez)4.20 – 5.4.278 (bez)5.5 – 5.10.219 (bez)5.11 – 5.15.161 (bez)5.16 – 6.1.93 (bez)6.2 – 6.6.33 (bez)6.7 – 6.8.12 (bez)6.9 – 6.9.3 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...