David Ahern

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue arises from insufficient sanity checks in the `qdisc pkt len init()` function, specifically when handling `SKB GSO DODGY` packets. The `virtio net hdr to skb()` function does not fully dissect TCP headers, only ensuring they are at least 20 bytes long. This allows a user to craft a malicious 'GSO' packet with a total length of 80 bytes, comprising a 20-byte IPv4 header, a 60-byte TCP header, and a small `gso size` like 8. As a result, `virtio net hdr to skb()` would incorrectly identify this packet as a normal GSO packet due to the perceived payload size being larger than `gso size`. This can lead to an underflow in `qdisc skb cb(skb)->pkt len`. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider implementing additional sanity checks for `SKB GSO DODGY` packets to prevent underflow in `qdisc skb cb(skb)->pkt len`. Restrict the use of `virtio net hdr to skb()` function until the update is applied to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A race condition was found in the Linux Kernel, related to the reuse of previously freed memory due to concurrent access to a resource in the `fib6 add()` function in the `net/ipv6/ip6 fib.c` module. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution. This issue is associated with the IPv6 implementation in the Linux kernel and can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.