CVE-2024-38612 Overview
CVE-2024-38612 is a Use After Free vulnerability in the Linux kernel's IPv6 Segment Routing (SR) implementation. The flaw exists in the error handling path of the seg6_init() function when the CONFIG_IPV6_SEG6_LWTUNNEL configuration option is not defined. When seg6_hmac_init() fails under these conditions, the genl_unregister_family() function is not called, leaving resources in an inconsistent state that could lead to use-after-free conditions and potential null pointer dereferences.
Critical Impact
This vulnerability can be exploited over the network without authentication, potentially allowing attackers to compromise system confidentiality, integrity, and availability through memory corruption attacks.
Affected Products
- Linux Kernel (multiple versions affected)
- Debian Linux (see Debian LTS Announcement)
- Systems with IPv6 Segment Routing functionality enabled
Discovery Timeline
- June 19, 2024 - CVE-2024-38612 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-38612
Vulnerability Analysis
This vulnerability stems from an improper error handling path in the IPv6 Segment Routing initialization code. The issue was introduced in commit 46738b1317e1 which added an option to control lightweight tunnel support. A subsequent fix in commit 5559cea2d5aa attempted to address a related use-after-free and null-ptr-deref issue by replacing unregister_pernet_subsys() with genl_unregister_family() in the error path, but introduced this new flaw in the process.
When the kernel is compiled without CONFIG_IPV6_SEG6_LWTUNNEL support and seg6_hmac_init() fails during initialization, the generic netlink family remains registered despite the initialization failure. This creates a scenario where subsequent operations may reference deallocated memory or uninitialized structures, leading to potential use-after-free conditions.
The vulnerability is exploitable over the network, requires no privileges, and can impact systems without user interaction. Successful exploitation could result in complete compromise of system confidentiality, integrity, and availability.
Root Cause
The root cause is a missing call to genl_unregister_family() in a specific error path within seg6_init(). The conditional compilation path for systems without CONFIG_IPV6_SEG6_LWTUNNEL did not properly clean up the registered generic netlink family when HMAC initialization failed, leaving the system in an inconsistent state with dangling references.
Attack Vector
An attacker could potentially exploit this vulnerability by triggering the error condition during IPv6 Segment Routing initialization, then interacting with the improperly cleaned-up generic netlink family. Since the attack vector is network-based and requires no authentication, remote attackers on systems with IPv6 SR functionality could potentially leverage this flaw.
The exploitation scenario involves manipulating the timing or conditions under which seg6_hmac_init() fails, then using the dangling generic netlink registration to access freed memory or trigger null pointer dereferences.
Detection Methods for CVE-2024-38612
Indicators of Compromise
- Kernel panic or crash messages related to IPv6 Segment Routing (seg6) subsystem
- Null pointer dereference errors in kernel logs associated with generic netlink operations
- Unexpected system instability or crashes when IPv6 networking is in use
- Memory corruption indicators in kernel debugging output
Detection Strategies
- Monitor kernel logs for messages containing seg6, genl_unregister_family, or seg6_hmac_init error conditions
- Deploy kernel integrity monitoring to detect unauthorized memory access patterns
- Implement network-based intrusion detection for anomalous IPv6 Segment Routing packets
- Use kernel memory debugging tools (KASAN, KMSAN) in development environments to detect use-after-free conditions
Monitoring Recommendations
- Enable kernel auditing for networking subsystem operations
- Configure centralized logging for kernel messages across all Linux systems
- Implement automated alerting on kernel crash or panic events
- Monitor for unusual IPv6 traffic patterns that may indicate exploitation attempts
How to Mitigate CVE-2024-38612
Immediate Actions Required
- Update the Linux kernel to a patched version as soon as possible
- Review system configurations to determine if CONFIG_IPV6_SEG6_LWTUNNEL is enabled or disabled
- Consider disabling IPv6 Segment Routing functionality if not required
- Implement network segmentation to limit exposure of vulnerable systems
Patch Information
Multiple patches have been released to address this vulnerability across different kernel versions. Apply the appropriate patch for your kernel version:
- Kernel Stable Commit 00e6335
- Kernel Stable Commit 1061057
- Kernel Stable Commit 160e9d2
- Kernel Stable Commit 1a63730
- Kernel Stable Commit 3398a40
- Kernel Stable Commit 646cd23
- Kernel Stable Commit 85a70ff
- Kernel Stable Commit c04d6a9
- Kernel Stable Commit e77a3ec
Debian users should refer to the Debian LTS Announcement for distribution-specific patches.
Workarounds
- Disable IPv6 Segment Routing at the kernel level if not required for operations
- Implement strict network filtering to block potentially malicious IPv6 SR packets
- Use network-level controls to restrict access to systems with vulnerable kernel versions
- Consider running workloads in containers with restricted network namespaces to limit exposure
# Check if IPv6 Segment Routing is enabled
cat /proc/sys/net/ipv6/conf/all/seg6_enabled
# Disable IPv6 Segment Routing if not needed
sysctl -w net.ipv6.conf.all.seg6_enabled=0
sysctl -w net.ipv6.conf.default.seg6_enabled=0
# Make persistent across reboots
echo "net.ipv6.conf.all.seg6_enabled = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.seg6_enabled = 0" >> /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
