CVE-2024-47685

Home/CVE/In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr

CVE

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th-res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---.

CRITICAL · CVSS 9.1 EPSS 0.00075

Act now

Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2024-47685, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2024-47685

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1190 · Exploit Public-Facing Application

▤ Build a SIEM detection for these techniques

⬡

Weakness Classification

CWE-908Use of Uninitialized Resource

▤

Affected Products & Versions

debian linuxall versions
linux kernel>= 3.18 and < 4.19.323
linux kernel>= 4.20 and < 5.4.285
linux kernel>= 5.5 and < 5.10.227
linux kernel>= 5.11 and < 5.15.168
linux kernel>= 5.16 and < 6.1.113
linux kernel>= 6.2 and < 6.6.54
linux kernel>= 6.7 and < 6.10.13
Show all 9 affected productslinux kernel>= 6.11 and < 6.11.2

⚠

Public Exploits & PoCs

These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.

pocw4zu/Debian_security (trickest)

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
oracle allbpftool open
oracle allkernel open
oracle allkernel-abi-stablelists open
oracle allkernel-core fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-cross-headers open
oracle allkernel-debug fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-debug-core open
oracle allkernel-debug-devel open
oracle allkernel-debug-devel-matched fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-debug-modules fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-debug-modules-core open
oracle allkernel-debug-modules-extra open
oracle allkernel-debug-uki-virt fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-devel open
oracle allkernel-devel-matched fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-headers fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-modules open
oracle allkernel-modules-core fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-modules-extra fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-tools open
oracle allkernel-tools-libs open
oracle allkernel-tools-libs-devel fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allkernel-uek fixed in 0:5.4.17-2136.338.4.1.el8uek
oracle allkernel-uek-container open
oracle allkernel-uek-container-debug fixed in 0:5.4.17-2136.338.4.1.el7uek
oracle allkernel-uek-core fixed in 0:5.15.0-303.171.5.2.el8uek
oracle allkernel-uek-debug open
oracle allkernel-uek-debug-core fixed in 0:5.15.0-303.171.5.2.el8uek
oracle allkernel-uek-debug-devel fixed in 0:5.4.17-2136.338.4.1.el7uek
oracle allkernel-uek-debug-modules open
oracle allkernel-uek-debug-modules-extra open
oracle allkernel-uek-devel open
oracle allkernel-uek-modules open
oracle allkernel-uek-modules-extra fixed in 0:5.15.0-303.171.5.2.el9uek
oracle allkernel-uek-tools fixed in 0:5.4.17-2136.338.4.1.el7uek
oracle allkernel-uek-tools-libs fixed in 0:5.4.17-2136.338.4.1.el7uek
oracle allkernel-uki-virt open
oracle allkernel-uki-virt-addons fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle alllibperf fixed in 0:5.14.0-570.12.1.0.1.el9_6
oracle allperf open
oracle allpython-perf open
oracle allpython3-perf open
oracle allrtla open
oracle allrv fixed in 0:5.14.0-570.12.1.0.1.el9_6
rhel 9kernel fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-64k open
rhel 9kernel-64k-core open
rhel 9kernel-64k-debug fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-64k-debug-core open
rhel 9kernel-64k-debug-devel open
rhel 9kernel-64k-debug-devel-matched fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-64k-debug-modules open
rhel 9kernel-64k-debug-modules-core open
rhel 9kernel-64k-debug-modules-extra open
rhel 9kernel-64k-devel open
rhel 9kernel-64k-devel-matched open
rhel 9kernel-64k-modules open
rhel 9kernel-64k-modules-core fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-64k-modules-extra fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-abi-stablelists fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-core open
rhel 9kernel-debug open
rhel 9kernel-debug-core fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-debug-devel fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-debug-devel-matched fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-debug-modules fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-debug-modules-core open
rhel 9kernel-debug-modules-extra fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-debug-uki-virt open
rhel 9kernel-devel open
rhel 9kernel-devel-matched fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-modules fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-modules-core open
rhel 9kernel-modules-extra open
rhel 9kernel-rt open
rhel 9kernel-rt-64k open
rhel 9kernel-rt-64k-core fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-rt-64k-debug open
rhel 9kernel-rt-64k-debug-core fixed in 0:5.14.0-570.12.1.el9_6
rhel 9kernel-rt-64k-debug-devel fixed in 0:5.14.0-570.12.1.el9_6

▣

Scoring & Timeline

9.1

CRITICAL · CVSS v3.1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD21 Oct 2024 · 12:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

Technical impact

partial

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

rhsaRHSA-2025:6966Low
usnUSN-7875-1
usnLSN-0115-1
usnUSN-7755-3
usnUSN-7755-2
Show all 30 vendor advisoriesusnUSN-7755-1
usnUSN-7727-3
usnUSN-7727-2
usnUSN-7727-1
siemens-csafSSA-355557
usnUSN-7540-1
usnUSN-7539-1
usnUSN-7468-1
usnUSN-7413-1
usnUSN-7403-1
usnUSN-7401-1
usnUSN-7384-2
usnUSN-7393-1
usnUSN-7386-1
usnUSN-7385-1
usnUSN-7384-1
suse-csafSUSE-SU-2025:20163-1
suse-csafSUSE-SU-2025:20164-1
suse-csafSUSE-SU-2025:20246-1
suse-csafSUSE-SU-2025:20247-1
usnUSN-7294-4
usnUSN-7303-3
usnUSN-7311-1
usnUSN-7310-1
usnUSN-7303-2

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922Patch

https://git.kernel.org/stable/c/7a7b5a27c53b55e91eecf646d1b204e73fa4af93Patch

https://git.kernel.org/stable/c/7bcbc4cda777d26c88500d973fad0d497fc8a82ePatch

https://git.kernel.org/stable/c/7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2Patch

https://git.kernel.org/stable/c/872eca64c3267dbc5836b715716fc6c03a18eda7Patch

https://git.kernel.org/stable/c/9c778fe48d20ef362047e3376dee56d77f8500d4Patch

Show all 13 references

https://git.kernel.org/stable/c/af4b8a704f26f38310655bad67fd8096293275a2Patch

https://git.kernel.org/stable/c/dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5Patch

https://git.kernel.org/stable/c/fbff87d682e57ddbbe82abf6d0a1a4a36a98afcdPatch

https://lists.debian.org/debian-lts-announce/2025/01/msg00001.htmlMailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2025/03/msg00002.htmlMailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-265688.html

https://cert-portal.siemens.com/productcert/html/ssa-355557.html