CVE-2024-26643

2024-03-2100:00:00

ubuntu.com

linux kernel

netfilter

nf_tables

vulnerability

race

timestamp

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: mark set as dead when unbinding anonymous set with
timeout While the rhashtable set gc runs asynchronously, a race allows it
to collect elements from anonymous sets with timeouts while it is being
released from the commit path. Mingi Cho originally reported this issue in
a different path in 6.1.x with a pipapo set with low timeouts which is not
possible upstream since 7395dfacfff6 (“netfilter: nf_tables: use timestamp
to check for set element timeout”). Fix this by setting on the dead flag
for anonymous sets to skip async gc in this case. According to 08e4c8c5919f
(“netfilter: nf_tables: mark newset as dead on transaction abort”), Florian
plans to accelerate abort path by releasing objects via workqueue,
therefore, this sets on the dead flag for abort path too.

Notes

Author	Note
	Priority reason: Reported by Google kCTF

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux< anyUNKNOWN
ubuntu23.10noarchlinux< anyUNKNOWN
ubuntu24.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux-aws< anyUNKNOWN
ubuntu22.04noarchlinux-aws< anyUNKNOWN
ubuntu23.10noarchlinux-aws< anyUNKNOWN
ubuntu24.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws-5.15< anyUNKNOWN
ubuntu22.04noarchlinux-aws-6.5< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux	< any	UNKNOWN
ubuntu	23.10	noarch	linux	< any	UNKNOWN
ubuntu	24.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	23.10	noarch	linux-aws	< any	UNKNOWN
ubuntu	24.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws-5.15	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws-6.5	< any	UNKNOWN