Linux Kernel ICMPv6 Null Pointer Dereference Vulnerability in IPv6 Extension Headers

A null pointer dereference vulnerability has been identified in the Linux kernel's ICMPv6 handling. This issue arises when certain IPv6 extension headers, such as RPL or SRv6, are used to send packets with link-local addresses as the source and destination. If these packets are forwarded to an external IP, the ICMPv6 processing can dereference a null pointer, leading to a kernel panic. The vulnerability is present in the Linux kernel stable tree, specifically in versions through 6.4.0-11996-gb121d614371c.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, first enable Segment Routing (SRv6) support by setting the appropriate sysctl parameter. Then, use a Python script with the Scapy library to craft and send an IPv6 packet. The packet should have a link-local address as both the source and destination, and include a Segment Routing extension header that directs the packet to an external IP. When the packet is processed, the ICMPv6 handling will dereference a null pointer, causing a kernel panic.

Remediation

Users can upgrade to the latest version of the Linux kernel to address this vulnerability. The patched version is available in the Linux kernel stable tree.