CVE-2024-56647 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use XFRM/IPsec or otherwise rely on IPv4 ICMP handling in environments where interfaces can flap or ARP failures occur. Fleets running affected kernel versions should treat this as a kernel availability fix, especially if they use VPN/IPsec or see link-state instability.

Technical summary

According to the kernel description, an ARP link failure can trigger ip_rt_bug when XFRM is enabled. The call path shows ipv4_link_failure leading into __icmp_send and then ip_send_skb, where ICMP route lookup/relookup can create input routes for locally generated packets. During XFRM relookup, the skb may end up with an input route whose dst->out points to ip_rt_bug for DESTUNREACH handling. The fix is to skip ICMP relookup for locally generated packets, because for those cases the output route's dst->dev is loopback and XFRM relookup verification is not needed there.

Defensive priority

Medium. Prioritize patching for systems running affected Linux kernel versions, and raise urgency if the fleet uses XFRM/IPsec or is exposed to frequent link failures. The impact described in the source is kernel warning/availability degradation rather than confidentiality or integrity compromise.

Recommended defensive actions

• Apply the upstream/stable Linux kernel patches referenced by the official kernel.org links in the advisory record.
• Upgrade to a kernel release that includes the fix; NVD marks Linux kernel versions from 2.6.25 up to before 6.12.5 as vulnerable, and 6.13-rc1 is also listed as vulnerable.
• If you rely on vendor kernels, confirm the vendor has backported the fix rather than assuming the upstream version number alone is sufficient.
• Validate XFRM/IPsec deployments and interface-flap scenarios in staging after patching, especially where ICMP errors and ARP link failures are expected.
• Monitor for kernel warnings involving ip_rt_bug, ipv4_link_failure, or __icmp_send as indicators that affected code paths are being exercised.

Evidence notes

Source evidence ties the issue to Linux kernel networking code and states: 'arp link failure may trigger ip_rt_bug while xfrm enabled.' The supplied description identifies the problematic path through icmp_route_lookup() / XFRM relookup for locally generated packets and states the fix is to skip ICMP relookup for those packets. NVD metadata also supplies the affected version criteria: linux_kernel versions from 2.6.25 through before 6.12.5, plus 6.13-rc1, with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Official resources