CVE-2024-5564 Overview
A buffer overflow vulnerability was discovered in libndp, a library used for Neighbor Discovery Protocol (NDP) operations. This flaw enables a malicious user to trigger a buffer overflow condition in NetworkManager by sending specially crafted malformed IPv6 router advertisement packets. The vulnerability stems from libndp's failure to properly validate route length information when processing IPv6 router advertisements, potentially leading to memory corruption and system compromise.
Critical Impact
Successful exploitation of this buffer overflow vulnerability could allow attackers to corrupt memory in NetworkManager, potentially leading to arbitrary code execution or denial of service on affected Linux systems.
Affected Products
- libndp (all versions prior to patched releases)
- NetworkManager (systems using vulnerable libndp)
- Red Hat Enterprise Linux (multiple versions - see vendor advisories)
Discovery Timeline
- May 31, 2024 - CVE-2024-5564 published to NVD
- July 14, 2025 - Last updated in NVD database
Technical Details for CVE-2024-5564
Vulnerability Analysis
This vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), a classic buffer overflow condition. The flaw exists in libndp's handling of IPv6 router advertisement packets, specifically in the parsing logic for route length information.
When libndp receives an IPv6 router advertisement packet, it processes various options including route information. The vulnerable code path fails to validate that the route length field contains a legitimate value before copying data into a fixed-size buffer. An attacker can craft a malformed router advertisement with an oversized route length value, causing libndp to write beyond the allocated buffer boundaries.
Since NetworkManager relies on libndp for IPv6 network discovery operations, this buffer overflow can be triggered within the NetworkManager process context. The network-accessible attack vector combined with the ability to corrupt memory in a privileged network management service creates a significant security risk for affected systems.
Root Cause
The root cause is improper input validation in libndp when processing route length information from IPv6 router advertisement packets. The library does not correctly verify that the route length field conforms to expected bounds before using it in memory copy operations. This allows an attacker to specify an arbitrary length value that exceeds the destination buffer size, resulting in a classic buffer overflow condition.
Attack Vector
The attack vector involves sending malformed IPv6 router advertisement packets to a system running NetworkManager with the vulnerable libndp library. An attacker on the same network segment (or with the ability to inject packets) can craft a router advertisement containing a route information option with an invalid or oversized length field.
When NetworkManager processes this packet through libndp, the malformed route length causes data to be written beyond buffer boundaries, corrupting adjacent memory. Depending on memory layout and exploitation technique, this could result in:
- Denial of service through NetworkManager crash
- Arbitrary code execution within NetworkManager's privilege context
- Potential privilege escalation on the affected system
Detection Methods for CVE-2024-5564
Indicators of Compromise
- Unexpected NetworkManager crashes or restarts, particularly following network activity
- Anomalous IPv6 router advertisement traffic with unusual route length values
- Memory corruption errors or segmentation faults in system logs related to NetworkManager or libndp
- Unusual network behavior or connectivity issues following IPv6 operations
Detection Strategies
- Monitor system logs for NetworkManager crash events or SIGSEGV signals
- Deploy network intrusion detection rules to identify malformed IPv6 router advertisements with suspicious route length fields
- Implement endpoint detection for unusual memory access patterns in NetworkManager processes
- Review audit logs for unexpected privilege escalation attempts following network events
Monitoring Recommendations
- Enable verbose logging for NetworkManager to capture IPv6 processing events
- Configure network monitoring tools to alert on malformed ICMPv6 router advertisement packets
- Implement memory protection monitoring for critical network services
- Set up automated alerting for repeated NetworkManager service restarts
How to Mitigate CVE-2024-5564
Immediate Actions Required
- Update libndp to the latest patched version from your distribution's repository
- Apply vendor security updates for affected systems immediately
- Consider temporarily disabling IPv6 on critical systems if immediate patching is not possible
- Monitor systems for signs of exploitation attempts
Patch Information
Multiple vendors have released security patches addressing this vulnerability:
- Red Hat: Security advisories RHSA-2024:4618, RHSA-2024:4619, RHSA-2024:4620, RHSA-2024:4622, RHSA-2024:4636, and additional advisories provide patched packages
- Debian: Debian LTS Security Announcement provides updated packages
For detailed vulnerability information, consult the Red Hat CVE Details page or the Red Hat Bug Report.
Workarounds
- Disable IPv6 on systems where it is not required as a temporary mitigation
- Implement network segmentation to limit exposure to potentially malicious router advertisements
- Deploy firewall rules to filter suspicious ICMPv6 traffic at network boundaries
- Consider using static IPv6 configuration to reduce reliance on router advertisements
# Temporary workaround: Disable IPv6 router advertisement acceptance
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.conf.default.accept_ra=0
# To make persistent, add to /etc/sysctl.conf:
# net.ipv6.conf.all.accept_ra = 0
# net.ipv6.conf.default.accept_ra = 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
