CVE-2023-52340: Linux IPv6 Route Cache DoS and Patch Guide

The Linux kernel vulnerability tracked as CVE-2023-52340 exposes a subtle but powerful availability risk: a flaw in the IPv6 route-caching logic can be driven into a denial-of-service condition by repeated IPv6 traffic patterns (for example, packets sent in a loop from a raw socket or floods of ICMPv6 “Packet Too Big” messages), causing route-cache exhaustion, high lock contention, and persistent “network is unreachable” failures until the kernel is patched or the attack stops.

Background​

For years the Linux kernel has evolved different internal designs for IPv4 and IPv6 routing caches. Historically IPv4 moved away from an active route cache and relies on per-CPU structures and garbage-collection semantics that avoid global cache-threshold chokepoints. IPv6’s destination-route handling retained a sysctl-controlled net.ipv6.route.max_size threshold that, in older kernels, could be exhausted when many route entries were cloned into the cache in a short period. That threshold and the way IPv6 garbage collection was implemented created a path where an attacker could intentionally force route cache growth and make the kernel spend large amounts of CPU time holding locks and scanning entries, producing packet drops and “network is unreachable” errors.
The kernel team’s upstream response—included in the 6.3 development cycle—changed IPv6 behavior to align more closely with IPv4 by removing the problematic max_size check and improving how cached route entries are managed so the kernel no longer hits the same choke point under realistic traffic patterns. Distributors and vendors then published advisories and backports to fix embedded kernels.

---

What exactly is the bug and how is it triggered?​

Root cause, in plain terms​

• The IPv6 route code could clone routes repeatedly in a tight loop (for example, when packets are sent by a raw socket or when ICMPv6 PTB messages cause repeated MTU updates).
• Each cloned route increases the IPv6 route cache size. When the cache exceeded the configured net.ipv6.route.max_size threshold (default values historically small compared with IPv4), the kernel triggered garbage collection that scanned every entry while holding a lock.
• That global scan under lock produces heavy lock contention and CPU saturation; packets are dropped while the kernel’s route machinery struggles, and user-space calls such as sendto() may start returning ENETUNREACH (“Network is unreachable”).

Practical trigger scenarios​

• Sending IPv6 packets in a tight loop through a raw socket that causes route cloning for each packet is a straightforward reproducer described by kernel developers. In vendor advisories the attack surface is wider: floods of ICMPv6 “Packet Too Big” (PTB) messages—legitimate or spoofed—can cause large numbers of route updates and thereby force the same behavior.

Why IPv4 wasn't affected the same way​

IPv4’s routing code had already moved away from the same global threshold/check architecture and relies more on garbage collection semantics and per-CPU structures; IPv6’s implementation lagged and therefore exposed the max_size chokepoint. The fix for CVE-2023-52340 intentionally brought IPv6’s behavior closer to IPv4’s approach.

---

Severity and scope​

• CVSS v3.1 assessments for CVE-2023-52340 place the base score in the High range (commonly quoted as 7.5 / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), driven by the network attack vector and the significant availability impact.
• The vulnerability affects Linux kernels prior to 6.3 (the upstream fix landed in the 6.3 development tree). Vendors backported the fix to many stable kernels; however, embedded devices and appliance firmware that do not receive timely kernel updates remain at risk.
• Real-world exploitation requires the ability to send IPv6 traffic that triggers route cloning or to flood the target with ICMPv6 PTB messages. In many environments this can be done from within the same L2/L3 domain or across routed IPv6 networks if ingress filtering or source validation is absent. That means servers and network gear exposed to untrusted IPv6 peers—public-facing interfaces, cloud instances with IPv6 enabled, and management controllers—should be prioritized.

---

Evidence and confirmation​

• The original kernel discussion and description of the reproducer were posted to the netdev/LKML thread describing how sending IPv6 packets in a loop via a raw socket caused route cloning and the ensuing cache overflow. Kernel developer Jon Maxwell authored the fix and the thread documents the expected behavior and repro output.
• Upstream sources and vendor advisories (Amazon Linux ALAS, SUSE, Oracle, IBM, and others) published notes tying the issue to ICMPv6 PTB floods and to the route cache garbage-collection behavior, and they reference the upstream patch that removes or deprecates the IPv6 max_size check. These multiple, independent vendor notes corroborate the technical description and remediation approach.
• National and public vulnerability catalogs (NVD, OpenCVE, cvedetails) list the CVE and reference the upstream kernel commit and vendor advisories, giving consistent CVSS and affected-version guidance (kernels before 6.3).

---

The upstream fix, backports and interesting wrinkles​

• The upstream commit associated with CVE-2023-52340 removed the IPv6-specific max_size check and adjusted garbage-collection behavior so that IPv6 cached routes no longer hit the same pathological case. That change was included in the Linux 6.3 development branch and documented in the networking sysctl documentation as deprecating the IPv6 max_size knob.
• Many distributors issued their own backported patches and livepatches. SUSE released kernel live patches for affected enterprise kernels, Amazon and Oracle published ALAS/ULN entries, and vendors such as NetApp and Dell updated appliance firmware referencing the same underlying kernel fix. Organizations should consult their vendor advisory channels and package repositories for the precise package or firmware that carries the fix.
• A notable operational wrinkle: some downstream trees (for example, Android’s kernel trees) briefly reverted the upstream change because of ABI concerns or platform-specific constraints. That means relying purely on “upstream 6.3 means fixed everywhere” is incomplete: vendors may have different backport/revert status, and some distributions may carry their own alternative fixes. Do not assume all kernels built from the 6.x series are identical—check vendor advisories for your specific kernel package.

---

Detection: how to spot attack or symptomatic systems​

Look for the following signs in kernel logs and telemetry—these are direct operational indicators that the route cache logic is failing or under pressure:

• Kernel warnings similar to:
• “Route cache is full: consider increasing sysctl net.ipv6.route.max_size.”
• log lines reporting suppressed callbacks like “dst_alloc: XXXX callbacks suppressed.”
  These messages are symptomatic of the route cache garbage-collection and allocation attack path.
• Sudden spikes in CPU usage on network-processing cores while connection-level throughput drops, especially concurrent with elevated logs related to IPv6 or route handling.
• Application-level errors returning ENETUNREACH or transient network-unreachability where IPv4 continues to work while IPv6 fails—this mismatch often points to an IPv6-specific kernel path.
• Network telemetry showing repeated ICMPv6 PTB messages from a single source or clusters of PTB messages arriving unexpectedly; this can either be user-generated or an artifact of a malformed testing script.

Practical commands and quick checks (examples to run on affected hosts):

• Inspect kernel logs:
• Check dmesg or /var/log/kern.log for the “Route cache is full” message or similar dst_alloc suppression messages.
• CPU and process sampling:
• Use top/htop and perf to see whether network CPU binds are saturated and which kernel threads are hot.
• Network-level capture:
• Capture with tcpdump or equivalent and inspect for repeated ICMPv6 PTB messages or a raw-socket flood originating from a single endpoint.

(These are investigative steps; adjust them to your environment’s tooling and policy.)

---

Immediate mitigations and recommended patching plan​

If you manage Linux hosts, appliances, or firmware that could contain vulnerable kernels, apply the following triage and remediation steps immediately:

• Priority 1 (Immediate, recommended):
• Patch: Update kernels to versions that include the upstream fix or apply vendor-supplied security updates/livepatches. For upstream Linux this is the behavior merged in the 6.3 tree; many distributions provide backports for earlier stable branches—apply those backports as soon as available.
• Priority 2 (If urgent patching is not possible):
• Network filters: Block or rate-limit externally sourced ICMPv6 PTB messages at edge routers/firewalls. Preventing or limiting the flood of PTB messages reduces the ability of a remote attacker to drive the route-cache into garbage-collection storms. (Be careful—blocking all ICMPv6 may break legitimate Path MTU Discovery; prefer targeted rate-limiting or source validation.)
• Temporary sysctl tweak (cautious): Some administrators raised /proc/sys/net/ipv6/route/max_size to a much larger value as a stopgap, but this is not a true fix—raising the threshold can postpone exhaustion but doesn’t remove the underlying pathological behavior and may increase memory use. Use only as an emergency measure and revert after patching. Vendor guidance varies, so consult your distribution advisory first.
• Isolate or disable IPv6 where acceptable: On systems that do not need IPv6 and where disabling it is operationally safe, disabling IPv6 will entirely avoid this specific attack surface until the kernel can be patched. This is an operational tradeoff and may not be feasible where IPv6 is required.
• Priority 3 (Monitoring and hardening):
• Deploy IDS/IPS signatures and custom detection rules that flag repeated ICMPv6 PTB floods or abnormal rates of raw-IPv6 packets from a host.
• Harden hosting or platform controls so that untrusted tenants or containers cannot create raw sockets or flood the host’s networking stack.

---

Who should be most worried?​

• Network appliances, routers, and management controllers that run embedded Linux kernels—BMC firmware, iDRAC/iLO equivalents, storage controllers—are high priority because vendor firmware upgrades have historically lagged and these devices may be directly exposed to untrusted networks. Dell, NetApp and other vendors issued advisories referencing the vulnerability for their appliances.
• Cloud instances and virtual machines where IPv6 is enabled on public-facing interfaces—attackers who can reach IPv6 addresses can attempt to exploit the path.
• Enterprise servers hosting essential services that expect high availability and that cannot be quickly rebooted; DoS conditions in the kernel networking path can be disruptive and persistent until remediation.

---

Risk analysis: likelihood vs. impact​

• Impact: High. The core effect is complete or partial loss of network availability for IPv6 paths on affected hosts. Applications can return errors and network services can become unreachable until the kernel is fixed or the attack stops. CVSS and vendor advisories emphasize the high availability impact.
• Likelihood: Moderate. Although the exploit primitive is straightforward (flooding route-cloning triggers), practical exploitation often requires network access that allows spoofing or source control of ICMPv6 messages. The public EPSS and exploitation reports do not indicate widespread mass exploitation, but proof-of-concept reproducers exist and attackers with network access could weaponize it in specific contexts (multi-tenant clouds, poorly filtered IPv6 networks, or internal network segments). Vendors and distributors prioritized fixes accordingly.

Combined, the High impact and reasonable ease of triggering under unfiltered IPv6 justify treating CVE-2023-52340 as a high-priority patching item for affected assets.

---

Operational notes and caveats​

• Do not assume kernel version numbers alone tell the whole story. While upstream 6.3 contains the upstream patch, many enterprise distributions backported fixes into earlier stable kernels (and some downstream maintainers may have chosen different approaches or temporary reverts). Always check the vendor advisory for the specific kernel package and distribution you run.
• Some downstream trees temporarily reverted the upstream change for platform ABI or stability reasons (Android trees are a public example). That means device vendors and OS projects may have different remediation timelines; validate against vendor bulletins for embedded devices.
• Raising the net.ipv6.route.max_size sysctl is a band-aid and not a substitute for a patch. It can delay exhaustion but may increase memory pressure and still leave the host vulnerable to high CPU lock-imposed outages. Prefer patching and network-level mitigations where possible.

---

Recommended checklist for system owners (quick, actionable)​

• Inventory: Identify all systems with IPv6 enabled, including servers, VMs, appliances, BMCs, and vendor-controlled firmware.
• Vendor check: Consult vendor security advisories for each affected product and map the vendor’s patch or firmware revision to your asset inventory. Apply vendor-recommended updates.
• Patch prioritization: Prioritize public-facing hosts, network appliances, cloud instances, and infrastructure nodes (DNS, load balancers, BMCs).
• Temporary mitigations: If you cannot patch immediately:
• Rate-limit or filter ICMPv6 PTB messages at ingress/edge.
• Consider temporary sysctl adjustments or disabling IPv6 for systems where that is acceptable.
• Monitoring and detection: Add log and telemetry alerts for the kernel route-cache/warning messages, CPU spikes on network threads, and high ICMPv6 PTB rates.
• Post-patch verification: After applying patches, verify that kernel logs no longer show the route-cache warnings under stress tests and that normal IPv6 traffic paths are stable.

---

Broader takeaways for operators and kernel watchers​

• This CVE illustrates how subtle differences in protocol implementations (IPv4 vs IPv6) can produce availability issues years after an initial design choice. Aligning implementation strategies across protocol families reduces surprising asymmetries that adversaries can exploit.
• Embedded devices and firmware remain a chronic operational risk: even when Linux upstream teams fix a problem, device vendors’ patch cycles determine real-world exposure. Inventory and vendor-relationship management are central to resilience.
• Operational controls—edge filtering, ICMP rate limiting, and visibility into kernel telemetry—are essential complements to software patching. Defending networking stacks requires coordination between kernel upgrades, network filtering policies, and observability.

---

Conclusion​

CVE-2023-52340 is a clear example of an availability-first vulnerability that is straightforward in concept but consequential in practice: certain IPv6 route-caching behavior allowed attackers to force route-cloning and garbage-collection storms that produced sustained or persistent denial-of-service conditions. The upstream remedy—removing the IPv6 max_size chokepoint and bringing IPv6 behavior in line with IPv4—was applied in the 6.3 kernel tree and vendors have since issued backports and firmware updates. Operators should treat this as a high-priority maintenance item for any system that enables IPv6, verify vendor-specific remediation for embedded devices, and apply the layered mitigations described above until all affected assets have been patched.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center