CVE-2024-56703: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's IPv6 routing functionality has been discovered, identified as CVE-2024-56703. The issue affects the fib6selectpath function under conditions of high next hop churn. The vulnerability was discovered in December 2024 and affects Linux kernel versions from 4.15 through 6.12.2, with fixes being implemented in subsequent releases (NVD).

The vulnerability manifests as soft lockups during the traversal of the multipath circular linked-list in the fib6_select_path function, specifically while iterating through siblings in the list. The issue occurs when nodes of the linked list are unexpectedly deleted concurrently on a different core, indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can cause system instability and denial of service through kernel soft lockups, particularly affecting Linux-based edge routers in highly dynamic environments. When exploited, it can trigger a system panic via the watchdog timer, disrupting normal system operations (Kernel Patch).

The issue has been resolved by applying RCU primitives in the problematic code sections and updating the references to fib6_siblings to use RCU APIs. The fix has been implemented in various kernel versions through patches. Users should update to patched versions: beyond 6.12.2 for the 6.12 series, beyond 6.11.11 for the 6.7-6.11 series, beyond 6.6.75 for the 6.2-6.6 series, or beyond 6.1.128 for the 4.15-6.1 series (NVD).