A deep-dive root cause analysis of CVE-2024-38063, a CVSS 9.8 Windows kernel vulnerability in the IPv6 packet parser (tcpip.sys). The author walks through patch diffing to identify a single-line change replacing IppSendErrorList with IppSendError, then reverse engineers the vulnerability chain: sending malformed IPv6 destination options headers with option type > 0x80 triggers a code path that zeroes the packet_size field, which then causes a 16-bit integer underflow in the IPv6 fragment reassembly code. This underflow results in a ~48-byte heap allocation while 65,488 bytes are copied into it — a controllable kernel pool buffer overflow. The post also covers the challenges of triggering packet coalescing at high throughput to get multiple packets in a linked list, and references ynwarcs' published PoC that completes the exploit chain via Ipv6pReassemblyTimeout().
Table of contents
The easiest patch analysis everVulnerabilities optional, exploitation mandatoryHe’s making a list, he’s checking it….52,567 timesYo dawg, I heard you liked DoSMore reversing…again…forever…Back to fragmentationBeaten, but not defeatedThat’s all, for nowSort: