{"id":"CVE-2024-40957","summary":"seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n    [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n    [74830.655633] #PF: supervisor read access in kernel mode\n    [74830.657888] #PF: error_code(0x0000) - not-present page\n    [74830.659500] PGD 0 P4D 0\n    [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n    ...\n    [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n    [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n    ...\n    [74830.689725] Call Trace:\n    [74830.690402]  \u003cIRQ\u003e\n    [74830.690953]  ? show_trace_log_lvl+0x1c4/0x2df\n    [74830.692020]  ? show_trace_log_lvl+0x1c4/0x2df\n    [74830.693095]  ? ipt_do_table+0x286/0x710 [ip_tables]\n    [74830.694275]  ? __die_body.cold+0x8/0xd\n    [74830.695205]  ? page_fault_oops+0xac/0x140\n    [74830.696244]  ? exc_page_fault+0x62/0x150\n    [74830.697225]  ? asm_exc_page_fault+0x22/0x30\n    [74830.698344]  ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n    [74830.699540]  ipt_do_table+0x286/0x710 [ip_tables]\n    [74830.700758]  ? ip6_route_input+0x19d/0x240\n    [74830.701752]  nf_hook_slow+0x3f/0xb0\n    [74830.702678]  input_action_end_dx4+0x19b/0x1e0\n    [74830.703735]  ? input_action_end_t+0xe0/0xe0\n    [74830.704734]  seg6_local_input_core+0x2d/0x60\n    [74830.705782]  lwtunnel_input+0x5b/0xb0\n    [74830.706690]  __netif_receive_skb_one_core+0x63/0xa0\n    [74830.707825]  process_backlog+0x99/0x140\n    [74830.709538]  __napi_poll+0x2c/0x160\n    [74830.710673]  net_rx_action+0x296/0x350\n    [74830.711860]  __do_softirq+0xcb/0x2ac\n    [74830.713049]  do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()-\u003erpfilter_is_loopback():\n\n    static bool\n    rpfilter_is_loopback(const struct sk_buff *skb,\n          \t       const struct net_device *in)\n    {\n            // in is NULL\n            return skb-\u003epkt_type == PACKET_LOOPBACK ||\n          \t in-\u003eflags & IFF_LOOPBACK;\n    }","modified":"2026-03-20T12:37:25.744090Z","published":"2024-07-12T12:31:59.747Z","related":["ALSA-2024:5928","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40957.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779"},{"type":"WEB","url":"https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40957.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40957"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7a3f5b0de3647c854e34269c3332d7a1e902901a"},{"fixed":"af90e3d73dc45778767b2fb6e7edd57ebe34380d"},{"fixed":"ec4d970b597ee5e17b0d8d73b7875197ce9a04d4"},{"fixed":"d62df86c172033679d744f07d89e93e367dd11f6"},{"fixed":"561475d53aa7e4511ee7cdba8728ded81cf1db1c"},{"fixed":"9a3bc8d16e0aacd65c31aaf23a2bced3288a7779"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40957.json"}}],"schema_version":"1.7.5"}