CVE-2024-50038

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: A vulnerability has been resolved in the Linux kernel, specifically in the netfilter: xtables component. The issue arises when the xt cluster match is called via ebtables, causing a warning due to the module registering to NFPROTO UNSPEC but assuming ipv4/ipv6 packet processing. This is a general issue, as direct users of the set/getsockopt interface can call into targets/matches intended only for use with ip(6)tables. The problem occurs when matches and targets assume skb network header() is valid, which is only true when called from the inet layer. Targets that return XT CONTINUE or other xtables verdicts must also be restricted, as they are incompatible with the ebtables traverser.

Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting the use of the xt cluster match and other affected targets/matches to minimize the risk of exploitation. Additionally, ensure that the connbytes module is properly enabled to prevent failures in enabling the corresponding conntrack family.