Linux Kernel Slab-Use-After-Free Vulnerability in XFRM IPv6 Packet Processing

A slab-use-after-free vulnerability has been identified in the Linux kernel's XFRM (IPsec) subsystem, specifically in the handling of IPv6 packets. This issue arises when the XFRM device is configured with a 'sfb' type queuing discipline. During packet transmission, the control block (cb) field of the socket buffer (skb) can be inadvertently altered, leading to the use-after-free condition when IPv6 packets are sent. The vulnerability has been observed in Linux kernel versions prior to 6.4.0.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, configure an XFRM device to use the 'sfb' queuing discipline. Then, send IPv6 packets through the device. The control block of the socket buffer will be modified during the enqueuing process, creating a use-after-free condition when the packets are transmitted.

Remediation

Users can upgrade to the latest version of the Linux kernel to address this vulnerability. The issue has been fixed in the official Linux Git repository.