Linux Kernel Slab-Use-After-Free Vulnerability in IPv6 VTI Device

A slab-use-after-free vulnerability has been identified in the Linux kernel's IPv6 Virtual Tunnel Interface (VTI) handling. This issue occurs when an IPv6 VTI device is configured with a Stochastic Fairness Buffer (SFB) queueing discipline. In this scenario, the control block (cb) field of the transmitted socket buffer (skb) can be altered during the enqueuing process. As a result, when the IPv6 VTI device transmits IPv6 packets, it may lead to a use-after-free condition, where the system attempts to access memory that has already been freed, potentially causing instability or exploitation opportunities.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption. Such memory corruption vulnerabilities can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, configure an IPv6 VTI device to use the SFB queueing discipline. Once this configuration is in place, transmit IPv6 packets through the VTI device. The vulnerability can be observed as a use-after-free error, which can be detected using Kernel Address Sanitizer (KASAN)

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.