CVE-2024-26852 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and system operators running affected kernel branches should care, especially on multi-user systems where local users can exercise networking/syscall paths. The CVSS vector is local, low-privilege, and rated high impact.

Technical summary

The kernel fix addresses a root-cause lifetime bug in ip6_route_mpath_notify(). The supplied description says an earlier commit (f7225172f25a) did not fully resolve the issue, and that fib6_info_release() calls need to be deferred until after ip6_route_mpath_notify() finishes, during cleanup. NVD records the issue as CWE-416 (use after free) with CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High. This is a kernel memory-safety flaw with high CVSS impact, but it requires local access and low privileges. Prioritize patching affected kernels and verifying vendor backports.

Recommended defensive actions

• Update to a Linux kernel build that includes the stable fixes referenced by NVD and the kernel patch links.
• Verify your vendor's backport status for affected branches, including 4.19.x, 5.4.x, 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.7.x, and 6.8-rc builds listed by NVD.
• Treat systems that allow unprivileged local users to reach the kernel networking stack as higher priority for remediation.
• Check your distro or vendor security advisory and package changelog for the specific backported fix commit.
• Watch for unexpected kernel crashes or KASAN-style reports in IPv6 routing/netlink paths until patching is complete.

Evidence notes

The debrief is based on the supplied CVE description, which includes the syzbot/KASAN report and the stated fix approach, plus the NVD record and its listed stable patch references. NVD also provides the affected CPE version ranges and the CWE-416 classification.

Official resources