Linux Kernel IPv6 Datagram Control Message Handling Vulnerability Leading to Local Denial-of-Service

A vulnerability in the Linux kernel's handling of IPv6 datagram control messages can lead to a local denial-of-service condition. This issue arises from the `ip6_datagram_send_ctl()` function, which processes `IPV6_DSTOPTS` control messages. The function accepts repeated `IPV6_DSTOPTS` messages and accumulates their lengths into a 16-bit field (`opt_flen`) without rejecting duplicates. This can cause the length accumulator to wrap around while still pointing to a large destination-options header. When the packet is transmitted, the wrapped length can result in an underflow, triggering a kernel panic via `skb_under_panic()`. The vulnerability can be exploited by an unprivileged user with access to the `CAP_NET_RAW` capability, especially when unprivileged user namespaces are enabled.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash.

Reproduction

The vulnerability can be reproduced by sending multiple `IPV6_DSTOPTS` control messages with carefully crafted headers that exploit the lack of duplicate rejection. This can be done using a small userspace proof-of-concept program that creates a user namespace and network namespace to obtain the necessary privileges.

Remediation

Users should upgrade to the patched version of the Linux kernel where this vulnerability has been addressed.