On 12/22/2025 4:51 PM, Polarian wrote:
Hey,
I am trying to understand if rtsold is not running and not enabled,
what from the kernel would spin that up to expose the code path that
is patched in the advisory?
I don't get where you are getting a kernel vulnerability from.
The advisory already explains that the RCE comes from a lack of input
validation on the domain search field. This is a userspace
vulnerability.
This passed to resolvconf which does not validate its input, which
therefore allows for an RCE.
So why we talking about code paths within the kernel? Its not within
the networking stack, it is a vulnerability within the userspace
utilities.
When I asked if patching the userland code was enough, you said no.
From what I understand having ACCEPT_RTADV on an interface means the
kernel is processing rtadv packets. The advisory mentions that, but it
seems thats not sufficient to trigger the bug, as rtsold is the one that
processes the unchecked DNS info. i.e. you need both ACCEPT_RTADV
enabled and rtsold enabled, no ? If just having ACCEPT_RTADV enabled
would lead to an exploit, that implies a kernel bug no ?
I just want to confirm if *not* running rtsold is enough to avoid this
bug or just having the mere presence of IPv6 can lead to exploit. If the
latter, how is that actually working.
---Mike
