CVE-2024-49952

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: A vulnerability in the Linux kernel has been resolved, specifically in the netfilter component, where the nf tables could be corrupted due to unsafe writing of the per-cpu variable nf skb duplicated by nf dup ipv4() or nf dup ipv6(). Disabling preemption is not sufficient to prevent this issue; soft interrupts must also be disabled. The vulnerability was discovered by syzbot and is related to the use of this cpu write() in preemptible code.

Recommendations: To resolve this issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the nf dup ipv4() and nf dup ipv6() functions until a patch is available. Restrict access to the vulnerable netfilter module to minimize the risk of exploitation. Avoid using the nf tables component in the affected API endpoints until the issue is resolved.