CVE-2024-26925

netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: libera mutex después de nft_gc_seq_end de la ruta de cancelación. El mutex de confirmación no debe liberarse durante la sección crítica entre nft_gc_seq_begin() y nft_gc_seq_end(); de lo contrario, el trabajador asíncrono de GC podría recopilar objetos caducados y obtener el bloqueo de confirmación liberado dentro de la misma secuencia de GC. nf_tables_module_autoload() libera temporalmente el mutex para cargar las dependencias del módulo, luego vuelve a reproducir la transacción nuevamente. Muévalo al final de la fase de cancelación después de llamar a nft_gc_seq_end().

A flaw was found in the Linux kernel’s Netfilter nf_tables module. The issue arises from improper mutex handling during the garbage collection (GC) process. The problem occurs between the critical functions nft_gc_seq_begin() and nft_gc_seq_end(), where a mutex lock is incorrectly released too early, leading to potential race conditions. This issue could allow an asynchronous GC worker to collect expired objects and improperly obtain the released commit lock within the same sequence, potentially causing system instability or data corruption.
This vulnerability can be exploited by attackers with local access, leading to unexpected behavior or even privilege escalation under certain conditions. The kernel patch for this issue moves the mutex release to the correct point, ensuring the sequence completes safely before releasing any locks.

*Credits: N/A

CVSS Scores

Red Hatv3.1 7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-24 CVE Published
2024-04-25 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-667: Improper Locking

CAPEC

References (17)

URL	Tag	Source
https://git.kernel.org/stable/c/4b6346dc1edfb9839d6edee7360ed31a22fa6c95	Vuln. Introduced
https://git.kernel.org/stable/c/23292bdfda5f04e704a843b8f97b0eb95ace1ca6	Vuln. Introduced
https://git.kernel.org/stable/c/b44a459c6561595ed7c3679599c5279204132b33	Vuln. Introduced
https://git.kernel.org/stable/c/5d319f7a81431c6bb32eb4dc7d7975f99e2c8c66	Vuln. Introduced
https://git.kernel.org/stable/c/720344340fb9be2765bbaab7b292ece0a4570eae	Vuln. Introduced
https://git.kernel.org/stable/c/f85ca36090cbb252bcbc95fc74c2853fc792694f	Vuln. Introduced
https://git.kernel.org/stable/c/e07e68823116563bdbc49cef185cda6f463bc534	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428	2024-04-13
https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494	2024-04-13
https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139	2024-04-13
https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae	2024-04-13
https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30	2024-04-10
https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1	2024-04-10
https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27	2024-04-04

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26925	2024-08-28
https://bugzilla.redhat.com/show_bug.cgi?id=2277166	2024-08-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.262 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.262 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.198 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.198 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.134 < 5.15.155 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.134 < 5.15.155"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.56 < 6.1.86 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.56 < 6.1.86"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.8.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.316 Search vendor "Linux" for product "Linux Kernel" and version "4.19.316"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.4.13 Search vendor "Linux" for product "Linux Kernel" and version "6.4.13"		en		Affected