ghsa-cfq2-3x3p-fqxp
Vulnerability from github
Published
2025-05-01 15:31
Modified
2025-05-07 15:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

net, neigh: Fix null-ptr-deref in neigh_table_clear()

When IPv6 module gets initialized but hits an error in the middle, kenel panic with:

KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f] CPU: 1 PID: 361 Comm: insmod Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370 RSP: 0018:ffff888012677908 EFLAGS: 00000202 ... Call Trace: neigh_table_clear+0x94/0x2d0 ndisc_cleanup+0x27/0x40 [ipv6] inet6_init+0x21c/0x2cb [ipv6] do_one_initcall+0xd3/0x4d0 do_init_module+0x1ae/0x670 ... Kernel panic - not syncing: Fatal exception

When ipv6 initialization fails, it will try to cleanup and calls:

neigh_table_clear() neigh_ifdown(tbl, NULL) pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev == NULL)) # dev_net(NULL) triggers null-ptr-deref.

Fix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev is NULL, to make kernel not panic immediately.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, neigh: Fix null-ptr-deref in neigh_table_clear()\n\nWhen IPv6 module gets initialized but hits an error in the middle,\nkenel panic with:\n\nKASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f]\nCPU: 1 PID: 361 Comm: insmod\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370\nRSP: 0018:ffff888012677908 EFLAGS: 00000202\n...\nCall Trace:\n \u003cTASK\u003e\n neigh_table_clear+0x94/0x2d0\n ndisc_cleanup+0x27/0x40 [ipv6]\n inet6_init+0x21c/0x2cb [ipv6]\n do_one_initcall+0xd3/0x4d0\n do_init_module+0x1ae/0x670\n...\nKernel panic - not syncing: Fatal exception\n\nWhen ipv6 initialization fails, it will try to cleanup and calls:\n\nneigh_table_clear()\n  neigh_ifdown(tbl, NULL)\n    pneigh_queue_purge(\u0026tbl-\u003eproxy_queue, dev_net(dev == NULL))\n    # dev_net(NULL) triggers null-ptr-deref.\n\nFix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev\nis NULL, to make kernel not panic immediately.",
  "id": "GHSA-cfq2-3x3p-fqxp",
  "modified": "2025-05-07T15:31:26Z",
  "published": "2025-05-01T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49904"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d38b4ca6679e72860ff8730e79bb99d0e9fa3b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c89642e7f2b7ecc9635610653f5c2f0276c0051"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b45d6d0c41cb9593868e476681efb1aae5078a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a99a8ec4c62180c889482a2ff6465033e0743458"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b49f6b2f21f543d4dc88fb7b1ec2adccb822f27c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b736592de2aa53aee2d48d6b129bc0c892007bbe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8017317cb0b279b8ab98b0f3901a2e0ac880dad"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.