Pablo Neira Ayuso

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.18.0-rc7+ **Description** A double hook unregistration issue in the netfilter nf tables component has been identified. The ` nft release hooks()` function is called from the pre netns exit path, which unregisters the hooks. However, the NETDEV UNREGISTER event is then triggered, causing the hooks to be unregistered again. This issue is associated with a warning message and a call trace that includes the ` nf unregister net hook+0x247/0x270` function. **Recommendations** For Linux kernel versions prior to 5.18.0-rc7+, consider updating to a newer version that includes the fix for this issue. As a temporary workaround, it may be possible to mitigate the risk by modifying the netns pre exit path to avoid the double hook unregistration. However, without further information, the exact steps for this workaround are not clear. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak issue in the Linux kernel's netfilter nf tables component has been identified. The problem occurs because the commit path does not release flow rule objects, while the abort path does. This issue has been resolved by updating the code to destroy these objects before releasing the transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A vulnerability in the Linux kernel has been resolved, related to the netfilter conntrack hashtable size. The issue allowed for a potential WARN ON ONCE in kvmalloc node noprof() when resizing the hashtable because GFP NOWARN was unset. The fix involves clamping the maximum hashtable size to INT MAX. Hashtable resize is only possible from init netns. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting the resize of the conntrack hashtable to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The Linux kernel has a vulnerability in the netfilter module, specifically in the nft set hash function, where an unaligned atomic read on the struct nft set ext can occur. This happens when accessing the genmask field in the struct nft set ext, resulting in an unaligned atomic read. The issue can cause a kernel paging request error, leading to a system crash. To address this, the struct nft set ext needs to be aligned to the word size. **Recommendations** Update to Linux kernel version 6.6.74 or later to fix the vulnerability. As a temporary workaround, consider aligning the struct nft set ext to the word size to prevent unaligned atomic reads.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A possible ABBA deadlock vulnerability has been identified in the Linux kernel, specifically in the netfilter IDLETIMER module. This issue occurs when the deletion of the last rule referencing a given idletimer happens simultaneously with a read of its file in sysfs, resulting in a possible circular locking dependency. A simple reproducer for this issue is provided, demonstrating how the deadlock can occur. The vulnerability is resolved by freeing the `list mutex` immediately after deleting the element from the list and then continuing with the teardown. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the vulnerability. As a temporary workaround, consider avoiding the simultaneous deletion and reading of idletimer rules to minimize the risk of deadlock.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the `nft inner` component of the Linux kernel, which can lead to a NULL pointer dereference from userspace when mandatory netlink attributes in payload and meta expression are not validated. This can cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the netfilter module in the Linux kernel, specifically with the nft set pipapo function. It can cause a crash when dealing with large batches of elements in a back-to-back add/remove pattern. The removal function does not work correctly if multiple elements share the same key, potentially leading to the wrong element being unmapped and resulting in a crash when the element is retrieved during lookup. The problem arises from the removal happening in two steps: first, looking up the key and marking the element as inactive, and second, removing the element from the set/map. If an element with the same key has timed out or is not active in the next generation, the removal might unmap the wrong element, causing the non-deactivated element to become unreachable and leading to a crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an incorrect pppoe tuple in the netfilter component of the Linux kernel. This causes pppoe traffic reaching the ingress path to not match the flowtable entry, as the pppoe header is expected to be at the network header offset. The bug results in a mismatch in the flow table lookup, leading to pppoe packets entering the classical forwarding path. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential data-race in the ` nft obj type get()` function in the `nf tables` component of the Linux kernel. This occurs because `nft unregister obj()` can run concurrently with ` nft obj type get()`, and there is no protection when iterating over the `nf tables objects` list in ` nft obj type get()`. This can lead to a potential data-race of the `nf tables objects` list entry. To resolve this, `list for each entry rcu()` is used to iterate over the `nf tables objects` list in ` nft obj type get()`, and `rcu read lock()` is used in the caller `nft obj type get()` to protect the entire type query process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0 **Description** The vulnerability is related to a slab-use-after-free issue in the `nf tables trans destroy work` function. This issue can be triggered when an element is released via the destroy workqueue while the `exit net` path has already released the set used in the transaction. The vulnerability can be exploited to potentially elevate privileges in the system. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, versions 6.8.0 and later should include the necessary patches to address this issue. For Linux kernel versions prior to 6.8.0: As a temporary workaround, consider disabling the `nf tables` module until a patch is available. However, this may have significant implications for network filtering and security, so it should be carefully considered based on the specific use case and security requirements of the system. At the moment, there is no information about other newer versions that contain a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the netfilter component, specifically the nf tables, where a discard table flag update with pending basechain deletion can cause a hook to remain registered in the core after its basechain has been deleted. This occurs when hook unregistration is deferred to the commit phase and combined with hook updates triggered by the table dormant flag. The vulnerability may allow an attacker to cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to the netfilter component of the Linux kernel, specifically the nf tables module. When the dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in the table. A configuration that allows for an inconsistent state can trigger a warning when trying to unregister a chain that is already unregistered. This issue may be exploited to elevate privileges in the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the netfilter component of the Linux kernel, specifically with the nft ct module. It involves insufficient validation of user-input data in the `nft ct expect obj init()` function, which can lead to a denial of service. The vulnerability is addressed by sanitizing layer 3 and 4 protocol numbers in custom expectations, disallowing families other than NFPROTO {IPV4,IPV6,INET}, and disallowing layer 4 protocols with no ports. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the `nf tables updchain` function of the Linux kernel's netfilter component. When `nft netdev register hooks()` fails, the memory associated with `nft stats` is not freed, causing a memory leak. This can lead to a denial of service. The patch fixes the issue by moving `nft stats alloc()` down after `nft netdev register hooks()` succeeds. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to the netfilter component in the Linux kernel, specifically with the bridge functionality. It occurs when the conntrack nf confirm logic cannot handle cloned skbs referencing the same nf conn entry, which happens for multicast or broadcast frames on bridges. This can lead to a race condition between the Macvlan broadcast worker and the normal confirm path. To work around this problem, explicit confirmation of the entry at LOCAL IN time is required before the upper layer has a chance to clone the unconfirmed entry. However, this workaround disables NAT and conntrack helpers. An alternative fix would be to add locking to all code parts that deal with unconfirmed packets, but this opens up other problems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the netfilter component, specifically the nft flow offload function, where the dst is transferred to the flow object, and the route object does not own it anymore. If the flow offload add() function fails, the error path releases the dst twice, leading to a refcount underflow. This can potentially allow an attacker to execute arbitrary code. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions from v5.9 to v6.6 **Description** The issue is related to a use-after-free vulnerability in the Netfilter component of the Linux kernel, specifically in the nft chain filter function. This vulnerability can lead to a local privilege escalation. The problem arises when a stale reference to a netdevice remains in the hook list after a NETDEV UNREGISTER event is reported. **Recommendations** As a temporary workaround, consider disabling the `nft chain filter` function until a patch is available. Restrict access to the Netfilter component to minimize the risk of exploitation. Update to a version of the Linux kernel that has the fix for the netfilter: nft chain filter: handle NETDEV UNREGISTER for inet/ingress basechain issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the `nft byteorder eval()` function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a memory leak in the netfilter nf tables module when more than 255 elements expire. This causes the system to recycle the initial gc container structure and lose track of previous elements. The `nft trans gc space()` function always returns true, preventing the switch to a new gc container structure. This can impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the netfilter component of the Linux kernel, specifically the nf tables module. It involves disallowing timeout for anonymous sets, which are never used from userspace. The vulnerability may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.