Windows TCP/IP Driver Integer Underflow — Zero-Click Pre-Auth RCE Over IPv6 (CVE-2024-38063)
An integer underflow in the Windows TCP/IP driver allows an unauthenticated network attacker to execute arbitrary code by sending crafted IPv6 packets. No user interaction is required; the vulnerable code runs in the kernel. Apply the August 2024 cumulative update, or disable IPv6 as a workaround.
Any unauthenticated attacker on the same broadcast domain — or any remote attacker whose packets can reach the host's IPv6 stack — can execute arbitrary code in the kernel. Successful exploitation grants ring-0 control of the target: the attacker can install kernel rootkits, disable EDR drivers, and pivot freely. The wormable nature means a single compromised host on an internal network can spread laterally without user interaction.
An integer underflow in the Windows TCP/IP driver's IPv6 fragmentation handling lets a remote attacker corrupt kernel memory by sending specially crafted IPv6 packets. The vulnerable code is in tcpip.sys and runs at kernel privilege. Affected: Windows 10/11 and Windows Server 2008 through Windows Server 2022 23H2 with IPv6 enabled (the default since Vista). Disabling IPv6 on the affected machine eliminates the attack surface but is rarely operationally acceptable on a server. The advisory rates exploitation "More Likely" and notes the bug is wormable.
Probably yes if any of these apply:
Affected OS versions
CVE-2024-38063 was disclosed by Wei (XiaoWei) at Kunlun Lab and detailed in technical write-ups within weeks of Microsoft's August 2024 patch. Multiple researchers reproduced kernel crashes via crafted IPv6 packets; some published proof-of-concept code that reliably bluescreens unpatched hosts. Microsoft warned that turning off IPv6 was the only effective workaround pre-patch. Although no public worm has emerged, the bug class — unauthenticated kernel RCE over a routable protocol — is the most dangerous category Microsoft tracks.
Manual remediation steps
⏱ 30–60 minutes including rebootCheck whether IPv6 is enabled
Get-NetAdapterBinding -ComponentID ms_tcpip6
# Enabled True on any adapter = host is in scope
Workaround until patched — disable IPv6 (last resort)
# WARNING: Disabling IPv6 can break some Microsoft features (DirectAccess,
# Failover Clustering, some Exchange scenarios). Validate carefully first.
Get-NetAdapter | ForEach-Object {
Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6
}
# OR registry-level disable (requires reboot):
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" `
-Name "DisabledComponents" -Value 0xFF -PropertyType DWord -Force
Restart-Computer
Apply the August 2024 cumulative update
CVE-2024-38063 to find the current superseding cumulative for your OSVerify
# Confirm tcpip.sys is patched (build at or above the August 2024 level):
(Get-Item C:\Windows\System32\drivers\tcpip.sys).VersionInfo.FileVersion
# Re-enable IPv6 after patching if you disabled it as a workaround:
Get-NetAdapter | ForEach-Object {
Enable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6
}
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References