Andrea Mayer

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a memory leak in the Linux kernel, specifically in the `seg6 input core()` function. This function is responsible for adding the SRH into a packet and uses `skb cow head()` to ensure sufficient headroom in the `sk buff` for accommodating the link-layer header. If `skb cow header()` fails, `seg6 input core()` catches the error but does not release the `sk buff`, resulting in a memory leak. The problem was introduced in a specific commit and persists even after subsequent commits that refactored the `seg6 input()` code to deal with netfilter hooks. A proposed patch addresses the memory leak by requiring `seg6 input core()` to release the `sk buff` if `skb cow head()` fails. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.16-rc4 Description: The issue is related to a NULL pointer dereference in the seg6 component of the Linux kernel. When an IPv4 packet is received and meant to be encapsulated in an outer IPv6+SRH header, the seg6 do srh encap function clears the IPv6 socket control block, leading to a loss of receiving interface index information. This condition can trigger a NULL pointer dereference if a specific commit is applied. The vulnerability can be exploited to cause a denial of service. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the seg6 component, specifically the change that sets the IP6CB(skb)->iif with the index of the receiving interface once again. At the moment, there is no information about a newer version that contains a fix for this vulnerability.