CVE-2024-56646: 
Linux Kernel vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in the Linux kernel's IPv6 implementation, specifically in the modifyprefixroute() function (CVE-2024-56646). The vulnerability was identified by syzbot and affects Linux kernel versions from 6.9 up to (excluding) 6.12.5, as well as version 6.13-rc1. The issue occurs when a fib6info structure lacks a fib6table pointer, which can happen with net->ipv6.fib6nullentry (Kernel Patch).

The vulnerability manifests as a NULL pointer dereference in the modifyprefixroute() function within the IPv6 address configuration subsystem. The issue occurs when attempting to access a fib6_table pointer that hasn't been properly set. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

When exploited, this vulnerability can lead to a kernel crash due to a NULL pointer dereference, resulting in a denial of service condition. The issue specifically triggers a general protection fault in the kernel, which can affect system stability and availability (Kernel Patch).

The vulnerability has been patched in the Linux kernel. The fix involves modifying the modifyprefixroute() function to properly handle cases where fib6info lacks a fib6table pointer. Users are advised to upgrade to Linux kernel version 6.12.5 or later, which contains the security fix (Kernel Patch).