VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jun 21, 2024· Updated May 12, 2026

CVE-2024-33621

CVE-2024-33621

Description

In the Linux kernel, the following vulnerability has been resolved:

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.

WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70 Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_mc_loop+0x2d/0x70 Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212 RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001 RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000 RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00 R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000 R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000 FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

? __warn (kernel/panic.c:693) ? sk_mc_loop (net/core/sock.c:760) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:239) ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? sk_mc_loop (net/core/sock.c:760) ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1)) ? nf_hook_slow (net/netfilter/core.c:626) ip6_finish_output (net/ipv6/ip6_output.c:222) ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215) ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan dev_hard_start_xmit (net/core/dev.c:3594) sch_direct_xmit (net/sched/sch_generic.c:343) __qdisc_run (net/sched/sch_generic.c:416) net_tx_action (net/core/dev.c:5286) handle_softirqs (kernel/softirq.c:555) __irq_exit_rcu (kernel/softirq.c:589) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)

The warning triggers as this: packet_sendmsg packet_snd //skb->sk is packet sk __dev_queue_xmit __dev_xmit_skb //q->enqueue is not NULL __qdisc_run sch_direct_xmit dev_hard_start_xmit ipvlan_start_xmit ipvlan_xmit_mode_l3 //l3 mode ipvlan_process_outbound //vepa flag ipvlan_process_v6_outbound ip6_local_out __ip6_finish_output ip6_finish_output2 //multicast packet sk_mc_loop //sk->sk_family is AF_PACKET

Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, ipvlan devices can trigger a kernel WARN_ON when sending raw PF_PACKET sockets over IPv6 due to improper use of skb->sk.

Vulnerability

Description

CVE-2024-33621 is a denial-of-service vulnerability in the Linux kernel's ipvlan driver. The issue occurs when raw packets from a PF_PACKET socket are transmitted over an IPv6-backed ipvlan device. The kernel function ipvlan_process_v4_outbound and ipvlan_process_v6_outbound wrongly use the skb->sk field, which can be NULL or invalid for packets originating from PF_PACKET sockets. This leads to a WARN_ON in sk_mc_loop() when the packet traverses the sch_direct_xmit path, as seen in the official description's kernel trace [description].

Exploitation

Requirements

An attacker must have the ability to send raw packets from a PF_PACKET socket on an IPv6-configured ipvlan device. This typically requires local access to the system (CAP_NET_RAW capability in a container or on a host). No special network position is needed beyond being able to create a PF_PACKET socket. The vulnerability is triggered entirely within the network stack processing, so it does not require advanced authentication beyond what is needed to open a raw socket.

Impact

When triggered, the kernel emits a WARN_ON and stack trace (as shown in the description), which may cause a system crash or instability on some configurations (e.g., if panic_on_warn is set). The impact is a denial of service for the local system. Siemens has reported that this CVE affects the GNU/Linux subsystem of SIMATIC S7-1500 TM MFP devices, labeling it as a medium-severity issue (CVSS v3 base score 5.5) [1].

Mitigation

The fix was applied in the Linux kernel commit b3dc6e8003b500861fa307e9a3400c52e78e4d3a [4]. Users should update their kernel to a version containing this patch. The vulnerability is also listed in Siemens advisory SSA-265688 [1], which recommends applying the vendor-provided updates for affected products.

References
  1. SSA-265688
  2. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

63

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

0

No linked articles in our index yet.