CVE-2024-47685 Overview
CVE-2024-47685 is an uninitialized memory use vulnerability in the Linux kernel's netfilter subsystem, specifically affecting the nf_reject_ip6_tcphdr_put() function in the IPv6 reject module. The vulnerability was discovered through syzbot fuzzing, which identified that the function was potentially sending uninitialized data (garbage values) in the four reserved TCP header bits (th->res1) when constructing TCP RST packets for IPv6 connection rejection.
The flaw occurs because the TCP header memory was not being properly zeroed before use, unlike its IPv4 counterpart nf_reject_ip_tcphdr_put() which correctly uses skb_put_zero() to clear the entire TCP header structure. This inconsistency allows kernel memory contents to leak through outbound network packets.
Critical Impact
This vulnerability enables network-based information disclosure of uninitialized kernel memory contents and can cause denial of service conditions in affected Linux systems using IPv6 netfilter reject rules.
Affected Products
- Linux Kernel (multiple versions with netfilter IPv6 reject functionality)
- Debian Linux 11.0
Discovery Timeline
- October 21, 2024 - CVE-2024-47685 published to NVD
- November 18, 2025 - Last updated in NVD database
Technical Details for CVE-2024-47685
Vulnerability Analysis
This vulnerability stems from improper initialization of memory used for TCP header construction in the kernel's netfilter IPv6 rejection code path. When the kernel generates a TCP RST (reset) packet to reject an IPv6 connection through netfilter rules, the nf_reject_ip6_tcphdr_put() function allocates space for the TCP header but fails to zero-initialize it completely.
The consequence is that uninitialized kernel memory—potentially containing sensitive data from previous operations—can be transmitted in the reserved bits of outgoing TCP RST packets. While the reserved bits (res1) are typically ignored by receiving TCP implementations, their contents traverse the network and could be captured by attackers for information gathering purposes.
The vulnerability is exploitable remotely without authentication through network traffic that triggers IPv6 netfilter reject rules. An attacker can craft packets designed to be rejected by the target system's firewall, causing the generation of RST packets containing leaked memory contents.
Root Cause
The root cause is a missing memory initialization call in nf_reject_ip6_tcphdr_put() located in net/ipv6/netfilter/nf_reject_ipv6.c. The function uses skb_put() to allocate TCP header space without clearing it, while the equivalent IPv4 function nf_reject_ip_tcphdr_put() properly uses skb_put_zero() to ensure the header is zero-initialized.
This inconsistency between IPv4 and IPv6 code paths represents a common pattern of vulnerabilities where parallel implementations diverge in security-critical details. The KMSAN (Kernel Memory Sanitizer) tool flagged this as an uninitialized value at offset +0x688 within the function.
Attack Vector
The vulnerability can be exploited through the following attack flow:
- An attacker sends specially crafted IPv6 packets to a target system
- The target's netfilter rules trigger packet rejection via nft_reject_inet_eval()
- The kernel calls nf_send_reset6() to generate a TCP RST response
- nf_reject_ip6_tcphdr_put() constructs the TCP header with uninitialized memory in the reserved bits
- The RST packet containing leaked memory is transmitted back to the attacker
- The attacker captures and analyzes the response packets to extract kernel memory contents
The attack requires the target to have IPv6 enabled with netfilter reject rules configured. The leaked memory fragments can potentially reveal kernel addresses useful for KASLR bypass or other sensitive information.
Detection Methods for CVE-2024-47685
Indicators of Compromise
- Unusual patterns of TCP RST packets being generated from IPv6 netfilter rules
- Network traffic containing TCP packets with non-zero reserved bits (res1)
- KMSAN kernel warnings indicating uninitialized memory use in netfilter paths
- Increased volume of rejected IPv6 connections triggering RST generation
Detection Strategies
- Enable KMSAN or KASAN in development/test kernels to detect uninitialized memory access patterns
- Monitor netfilter logging for unusual reject rule triggering patterns that may indicate exploitation attempts
- Deploy network intrusion detection systems with rules to flag TCP packets containing non-zero reserved bits
- Implement kernel tracing on nf_reject_ip6_tcphdr_put() and nf_send_reset6() functions in suspected compromise scenarios
Monitoring Recommendations
- Configure syslog monitoring for kernel warnings related to netfilter and uninitialized memory
- Establish baseline metrics for IPv6 TCP RST packet generation rates to identify anomalous activity
- Review firewall logs for patterns of traffic specifically designed to trigger reject rules
- Enable packet capture on network egress points during incident response to analyze RST packet contents
How to Mitigate CVE-2024-47685
Immediate Actions Required
- Update affected Linux kernel installations to patched versions immediately
- Review and audit IPv6 netfilter reject rules to understand exposure scope
- Consider temporarily disabling IPv6 reject rules in favor of DROP rules which do not generate response packets
- Monitor systems for signs of exploitation while patches are being deployed
Patch Information
The fix replaces the skb_put() call with skb_put_zero() in nf_reject_ip6_tcphdr_put() to ensure the entire TCP header is zero-initialized before use, matching the behavior of the IPv4 implementation.
Multiple kernel patches have been released across various stable branches:
Debian users should refer to the Debian LTS Announcement for distribution-specific update guidance.
Workarounds
- Replace netfilter REJECT rules with DROP rules for IPv6 traffic to prevent RST packet generation
- Disable IPv6 if not required in the environment until patches can be applied
- Implement network-level filtering to block potentially malicious IPv6 traffic at perimeter devices
- Use firewall rate limiting on reject rules to reduce potential information leakage volume
# Configuration example: Replace REJECT with DROP for IPv6 netfilter rules
# Before (vulnerable):
# ip6tables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
# After (mitigated):
ip6tables -A INPUT -p tcp --dport 22 -j DROP
# To list current IPv6 reject rules that should be reviewed:
ip6tables -L -n -v | grep REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
