CVE-2024-38558 Overview
CVE-2024-38558 is a memory corruption vulnerability in the Linux kernel's Open vSwitch (OVS) implementation that affects the handling of ICMPv6 packets during conntrack tuple processing. The flaw occurs when parsing ICMPv6 headers through the OVS_PACKET_CMD_EXECUTE path, where the packet parsing code incorrectly zeroes out fields in the sw_flow_key structure that share memory space with conntrack original tuple metadata.
The vulnerability stems from a union memory overlap between the ipv6.nd (Neighbor Discovery) field and ipv6.ct_orig (conntrack original tuple) in the kernel's flow key structure. When processing non-ND ICMPv6 packets (such as Echo requests), the code erroneously clears ND-related fields, which overwrites critical conntrack metadata and corrupts all but the last 4 bytes of the destination address in the original tuple.
Critical Impact
Exploitation can lead to incorrect packet matching and potentially executing wrong actions on packets that recirculate within the OVS datapath or return to userspace, causing denial of service conditions in network virtualization environments.
Affected Products
- Linux Kernel (multiple versions with Open vSwitch support)
- Systems running OVS datapath with ICMPv6 conntrack enabled
- Network virtualization environments using Open vSwitch
Discovery Timeline
- June 19, 2024 - CVE-2024-38558 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-38558
Vulnerability Analysis
The vulnerability exists in the Open vSwitch packet execution path within the Linux kernel. The OVS_PACKET_CMD_EXECUTE command processes three main attributes: OVS_PACKET_ATTR_KEY containing packet metadata in netlink format, OVS_PACKET_ATTR_PACKET with binary packet content, and OVS_PACKET_ATTR_ACTIONS specifying actions to execute.
During processing, OVS_PACKET_ATTR_KEY is parsed first to populate the sw_flow_key structure with metadata including conntrack state, input port, and recirculation ID. Subsequently, the packet headers are parsed to populate remaining keys.
The core issue arises because the ipv6 field in the flow key structure is a union that shares memory between the nd (Neighbor Discovery) field and ct_orig (conntrack original tuple) field. When ICMPv6 header parsing begins, the code unconditionally executes memset() to zero out ND fields—even for non-ND packets like ICMPv6 Echo requests. This operation overwrites the previously parsed conntrack original tuple metadata, corrupting the destination address and breaking packet flow matching.
Root Cause
The root cause is improper initialization logic in the ICMPv6 parsing code path. The memset() operation that clears Neighbor Discovery fields was being executed for all ICMPv6 packets rather than only for actual ND packets. This design flaw combined with the union-based memory sharing between ipv6.nd and ipv6.ct_orig creates a situation where legitimate conntrack metadata is overwritten.
The fix modifies the parsing logic to only execute memset() for actual Neighbor Discovery packets, preserving conntrack tuple integrity for other ICMPv6 packet types. The vulnerability is classified under CWE-665 (Improper Initialization).
Attack Vector
The attack vector is local, requiring the attacker to have the ability to inject crafted packets through the OVS datapath using the OVS_PACKET_CMD_EXECUTE interface. The vulnerability specifically affects:
- ICMPv6 packets (non-ND types) with existing conntrack state
- Packets processed through the userspace-to-kernel OVS execution path
- Scenarios where packets recirculate within the datapath
The vulnerability does not affect packets entering OVS datapath from network interfaces, as in those cases conntrack metadata is populated from the socket buffer after packet parsing completes.
Detection Methods for CVE-2024-38558
Indicators of Compromise
- Unexpected packet drops or misrouting in OVS-managed network environments
- Anomalous ICMPv6 Echo packet behavior with incorrect flow matching
- Conntrack table inconsistencies showing corrupted destination addresses
- Increased recirculation failures in OVS datapath logs
Detection Strategies
- Monitor OVS datapath logs for flow matching errors involving ICMPv6 packets
- Audit systems for kernel versions lacking the security patches (commits 0b532f5, 431e921, 483eb70, 5ab6aec, 6a51ac9, 78741b4, 7c98817, 9ec8b0c, d73fb8b)
- Implement network monitoring for unexpected ICMPv6 packet handling anomalies
- Review conntrack table entries for address corruption patterns
Monitoring Recommendations
- Enable detailed logging for OVS conntrack operations to identify tuple corruption
- Deploy kernel tracing (ftrace/eBPF) on production systems to monitor OVS_PACKET_CMD_EXECUTE operations
- Configure alerts for unusual ICMPv6 traffic patterns in virtualized network environments
How to Mitigate CVE-2024-38558
Immediate Actions Required
- Update the Linux kernel to a patched version containing the security fix
- If immediate patching is not possible, consider disabling ICMPv6 conntrack in OVS datapath configurations
- Monitor affected systems for signs of exploitation until patches are applied
- Review OVS flow rules for potential impact from misrouted packets
Patch Information
Linux kernel maintainers have released patches across multiple stable branches. The fix modifies the ICMPv6 parsing logic to execute memset() only for actual Neighbor Discovery packets, preventing the overwrite of conntrack original tuple data.
Security patches are available through the following kernel commits:
- Linux Kernel Commit 0b532f5
- Linux Kernel Commit 431e921
- Linux Kernel Commit 483eb70
- Linux Kernel Commit 5ab6aec
- Linux Kernel Commit 6a51ac9
- Linux Kernel Commit 78741b4
- Linux Kernel Commit 7c98817
- Linux Kernel Commit 9ec8b0c
- Linux Kernel Commit d73fb8b
Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Limit use of OVS_PACKET_CMD_EXECUTE path for ICMPv6 packets with conntrack state
- Implement network segmentation to reduce exposure of OVS datapath interfaces
- Consider using alternative packet processing paths where conntrack metadata integrity is critical
# Check current kernel version for vulnerability status
uname -r
# Verify OVS module version
modinfo openvswitch | grep -E "^(version|vermagic)"
# Review active OVS flows for ICMPv6 conntrack rules
ovs-ofctl dump-flows br0 | grep icmp6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
