A vulnerability has been identified in the Linux kernel's CPSW (Ethernet) driver, specifically related to how multicast group management is handled over IPv6. The issue arises from a recent change that removed the requirement to hold the RTNL (Route Netlink) lock during certain multicast operations. This modification has led to a failure assertion in the VLAN (Virtual Local Area Network) management, as the CPSW driver attempts to update multicast addresses without the necessary lock, causing a synchronization issue. The problem has been observed on a BeagleBone Black board running a specific Linux kernel version.
The vulnerability causes a runtime assertion failure related to VLAN management, which can disrupt normal network operations by improperly handling multicast traffic. This could lead to degraded network performance or functionality, particularly in applications relying on multicast communication.
The vulnerability can be reproduced by joining an IPv6 multicast group using the 'MCAST_JOIN_GROUP' option on a network interface managed by the CPSW driver. The operation will fail with a VLAN-related assertion error, indicating that the necessary RTNL lock was not held during the multicast update process.
The vulnerability has been addressed by modifying the CPSW driver to execute the multicast management operations within a work queue, ensuring that the RTNL lock is properly handled. Users should update to the latest version of the Linux kernel where this fix has been applied.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
