CVE-2024-38063
TCP/IP stack -- integer underflow in IPv6 packet reassembly allows RCE
Summary
| Field | Value |
|---|---|
| Driver | tcpip.sys |
| Vulnerability Class | Integer Overflow |
| Vulnerable Build | 10.0.22621.3958 (KB5040527) |
| Fixed Build | 10.0.22621.4036 (KB5041585) |
| Exploited ITW | No |
Affected Functions
Ipv6pReassembleDatagramIpv6pReceiveFragmentIppReassembleDatagram
Root Cause
Every Windows machine with IPv6 enabled (the default configuration) processes fragmented IPv6 packets through tcpip.sys. When an IPv6 datagram exceeds the path MTU, the sender fragments it. The receiver collects fragments via Ipv6pReceiveFragment, tracks their offsets and lengths, and reassembles them into a complete datagram via Ipv6pReassembleDatagram. Buffer sizes for the reassembled datagram are calculated from the fragment offset and length fields in each packet's IPv6 Fragment Extension Header.
The vulnerability is an integer underflow in the reassembly arithmetic. When Ipv6pReassembleDatagram computes the total reassembled datagram size, a subtraction on unsigned integers can wrap around if a crafted sequence of fragments provides offset and length values that cause the subtraction result to go negative. Since the arithmetic is unsigned, the negative result wraps to a very large or very small value (depending on the specific computation), producing an incorrect buffer size.
This incorrect value is used to allocate a kernel pool buffer. When the allocation size is smaller than the actual fragment data, the subsequent copy of fragment payloads into the buffer overflows past the end of the allocation, corrupting adjacent kernel pool objects.
The bug is remotely triggerable with no authentication and no user interaction. An attacker only needs to send crafted IPv6 packets to a target machine.
AutoPiff categorizes this as int_overflow with detection rules:
added_overflow_check_on_arithmeticadded_underflow_guard
Exploitation
The attack begins by sending a carefully ordered sequence of IPv6 fragments to the target. The fragment offset and length fields are chosen to trigger the integer underflow in Ipv6pReassembleDatagram, causing the kernel to allocate a buffer smaller than the actual data volume. When the fragments are reassembled, the copy overflows into adjacent pool objects.
Reliable exploitation requires remote heap layout control, which is significantly harder than local pool spraying. The attacker needs to groom the kernel pool across the network by sending packets that allocate objects of specific sizes, positioning target objects adjacent to the vulnerable allocation. MalwareTech's analysis details the fragment sequences and pool grooming strategies needed to make this practical.
If the adjacent pool objects can be reliably corrupted, the attacker gains kernel pool corruption from a network packet, the path to remote code execution. Microsoft rated this "Exploitation More Likely" due to the complexity of remote heap grooming, but the fundamental primitive is one of the most dangerous in the Windows kernel: unauthenticated, zero-click, remote kernel pool corruption.
Patch Analysis
The patch in KB5041585 (build 10.0.22621.4036) added overflow and underflow checks on the fragment offset and length arithmetic during IPv6 reassembly. Subtraction results are validated against wraparound, and calculated buffer sizes are checked for consistency with the actual fragment data. Malformed fragment sequences that would have triggered the underflow are now discarded.
AutoPiff detects this via the added_overflow_check_on_arithmetic and added_underflow_guard rules, which identify new conditional branches guarding arithmetic operations against wraparound.
Detection
YARA Rule
rule CVE_2024_38063_TCPIP {
meta:
description = "Detects vulnerable version of tcpip.sys (pre-patch)"
cve = "CVE-2024-38063"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "tcpip.sys" wide ascii nocase
$vuln_build = "10.0.22621.3958" wide ascii
$func_reassemble = "Ipv6pReassembleDatagram" ascii
$func_fragment = "Ipv6pReceiveFragment" ascii
$func_generic = "IppReassembleDatagram" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and 2 of ($func_*)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-TCPIP | IPv6 fragment reassembly and packet discard events | Code path in Ipv6pReassembleDatagram where the underflow occurs |
| Microsoft-Windows-WFP | Packet inspection and drop events | Malformed IPv6 fragment sequences (blocked post-patch, pass through on vulnerable systems) |
| Microsoft-Windows-Kernel-Network | Network buffer allocation and pool events | Pool allocations for IPv6 reassembly buffers with anomalous sizes from integer underflow |
| Microsoft-Windows-Security-Auditing | Event 5152 (WFP Packet Drop) and Event 5157 (Connection Block) | Firewall blocking of malicious IPv6 fragment patterns |
Behavioral Indicators
- Burst of fragmented IPv6 packets from a single source with crafted Fragment Extension Headers containing offset and length values that trigger unsigned integer underflow in the reassembly calculation
- Kernel pool corruption in NonPagedPoolNx following IPv6 fragment reassembly, detectable via pool integrity verification or bugcheck
BAD_POOL_HEADER/POOL_CORRUPTION_IN_FILE_AREA - IPv6 fragments with inconsistent total datagram sizes, where fragment offset+length combinations exceed or underflow the reassembled datagram boundary
- Kernel-mode shellcode execution from corrupted pool objects adjacent to the undersized reassembly buffer, spawning SYSTEM processes from the network stack context
- High volume of IPv6 fragment packets on a system that does not normally receive fragmented IPv6 traffic
Broader Significance
CVE-2024-38063 is the kind of vulnerability that keeps network security teams up at night. It is a pre-authentication, zero-click, remote kernel pool corruption in the IPv6 stack of every Windows machine. While reliable remote exploitation requires solving the hard problem of cross-network heap grooming, the existence of this primitive means any unpatched Windows system with IPv6 enabled (which is nearly all of them) is theoretically vulnerable to remote kernel compromise from a single crafted packet stream. The vulnerability drew significant attention because IPv6 is enabled by default and cannot be easily disabled in many environments, making the exposure near-universal.