CVE-2006-0454
Description
Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
43cpe:2.3:o:linux:linux_kernel:2.6.12:*:*:*:*:*:*:*+ 42 more
- cpe:2.3:o:linux:linux_kernel:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.13:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15.2:*:*:*:*:*:*:*
- (no CPE)range: >=2.6.12, <2.6.15.3
Patches
Vulnerability mechanics
Root cause
"Incorrect error-handling label in icmp_send causes a spurious dst_release when ip_options_echo fails."
Attack vector
A remote attacker can send a crafted IP packet with record-route or timestamp IP options that have the `needaddr` bit set and a truncated value. When the kernel attempts to construct an ICMP response via `icmp_send`, the `ip_options_echo` function fails on the malformed options, and the original error path triggers a spurious `dst_release` on an already-freed or uninitialized destination cache entry, causing a kernel crash (denial of service). No authentication is required.
Affected code
The vulnerability is in `net/ipv4/icmp.c` in the `icmp_send` function. When `ip_options_echo` fails, the original code jumped to the `ende` label, which released a destination cache entry (`dst_release`) that had not yet been acquired, causing a double-free or use-after-free condition that could crash the kernel. The patch changes the failure path to jump to `out_unlock` instead, avoiding the erroneous release.
What the fix does
The patch changes the error-handling label in `icmp_send` from `goto ende` to `goto out_unlock`. The `ende` label performed a `dst_release` on a route that had not yet been looked up, causing a double-free. By jumping to `out_unlock` instead, the function releases only the lock and returns without touching the destination cache, preventing the crash.
Preconditions
- inputAttacker must send an IP packet with record-route or timestamp options that have the needaddr bit set and a truncated value
- networkNo authentication required; the attack is remote
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- lists.immunitysec.com/pipermail/dailydave/2006-February/002909.htmlnvdPatch
- secunia.com/advisories/18766nvdPatchVendor Advisory
- secunia.com/advisories/18774nvdPatchVendor Advisory
- secunia.com/advisories/18784nvdPatchVendor Advisory
- secunia.com/advisories/18788nvdPatchVendor Advisory
- secunia.com/advisories/18861nvdPatchVendor Advisory
- www.novell.com/linux/security/advisories/2006_06_kernel.htmlnvdPatchVendor Advisory
- www.redhat.com/archives/fedora-announce-list/2006-February/msg00037.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/16532nvdPatch
- www.trustix.org/errata/2006/0006nvdVendor Advisory
- www.vupen.com/english/advisories/2006/0464nvdVendor Advisory
- marc.infonvd
- marc.infonvd
- www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3nvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/archive/1/427981/100/0/threadednvd
- www.ubuntu.com/usn/usn-250-1nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24575nvd
News mentions
0No linked articles in our index yet.