Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2021-24086 · Windows TCP/IP Denial of Service Vulnerability

No description was published by MSRC.

Severity
n/a
Impact
n/a
CVSS
7.5 base · 6.5 temporal
Release
2021-02-09
Signals
Windows TCP/IP Unknown impact Exploited: No Publicly disclosed: No Exploitability: Exploitation More Likely
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
No description was published by MSRC.
FAQ / Articles
Workaround
1. Set global reassemblylimit to 0 The following command disables packet reassembly. Any out-of-order packets are dropped. Valid scenarios should not exceed more than 50 out-of-order fragments. We recommend testing prior to updating production systems. Netsh int ipv6 set global reassemblylimit=0 Further netsh guidance can be found at netsh. Impact of workaround There is a potential for packet loss when discarding out-of-order packets. How to undo the workaround To restore to default setting "267748640": Netsh int ipv6 set global reassemblylimit=267748640 2. Configure an Edge device, such as a firewall or load balancer, to disallow IPv6 fragmentation. Host based firewalls do not provide sufficient protection.
Mitigation
This vulnerability affects all Windows IPv6 deployments, but Windows systems that are ONLY configured with IPv6 link-local addresses are not reachable by remote attackers. IPv6 link-local addresses are not routable on the internet, and an attack would need to originate from the same logical or adjacent network segment.
FAQ
Where can I find more information about this vulnerability? Please see MSRC Blog regarding the TCP/IP vulnerabilities discussed in CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094.