Linux Kernel Netfilter Vulnerability in Verdict Maps
CVE-2023-52924

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 5 February 2025

Summary

This vulnerability in the Linux kernel's netfilter component relates to a flaw in how the system handles the life cycle of verdict map set elements. When operating with timeouts enabled, a problematic sequence occurs between the set removal in userspace and the kernel's walk processes. If an element in the verdict map has expired, it gets skipped during the list traversal, preventing the update of the chain use count. This oversight can result in a WARN splat when removal is attempted later, ultimately leading to memory leaks and instability within the nft_chain structure. The flaw underscores the importance of appropriate management of element states within the kernel to ensure system integrity.

Affected Version(s)

Linux 9d0982927e79049675cb6c6c04a0ebb3dad5a434 < 94313a196b44184b5b52c1876da6a537701b425a

Linux 9d0982927e79049675cb6c6c04a0ebb3dad5a434 < 1da4874d05da1526b11b82fc7f3c7ac38749ddf8

Linux 9d0982927e79049675cb6c6c04a0ebb3dad5a434

References

https://git.kernel.org/stable/c/94313a196b44184b5b52c1876...

https://git.kernel.org/stable/c/1da4874d05da1526b11b82fc7...

https://git.kernel.org/stable/c/b15ea4017af82011dd55225ce...

Timeline

Vulnerability published
Feb 5, 2025
Vulnerability Reserved
Aug 21, 2024