Joel Guittet

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.43 **Description** The issue is related to the lack of validation of the source address length in the tcp metrics structure, specifically for the TCP METRICS ATTR SADDR IPV4 attribute. This attribute is not checked to be at least 4 bytes long, and there is no entry for it in the policy. The vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. The issue is related to the NETLINK socket, which can be used locally. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.43 or later. As a temporary workaround, consider restricting access to the NETLINK socket to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** A vulnerability in the Linux kernel's TCP implementation allows for a divide-by-zero error in the `tcp rcv space adjust()` function. This occurs when a socket transitions from the `TCP SYN RECV` state to the `TCP FIN WAIT1` state without calling `tcp init transfer()`, which also means `tcp init buffer space()` is not called. The issue can be triggered by a remote attacker, potentially leading to a denial-of-service condition. To fix this, the `tcp shutdown()` function should be modified to not perform the `TCP SYN RECV` to `TCP FIN WAIT1` transition, and instead, wait for the socket state to change to `TCP ESTABLISH` before entering the `TCP FIN WAIT1` state and sending a FIN packet. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.37 or later. If updating is not immediately possible, consider applying the patch that changes the `tcp shutdown()` function to correctly handle the `TCP SYN RECV` state transition. Additionally, as a temporary workaround, consider disabling the `tcp shutdown()` function for `TCP SYN RECV` sockets until a patch is available.