CVE-2024-26643

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.28

Description The issue is related to a race condition in the netfilter component of the Linux kernel, specifically in the nf tables module. This condition allows the rhashtable set gc to collect elements from anonymous sets with timeouts while they are being released from the commit path. The problem was originally reported by Mingi Cho in a different path in version 6.1.x with a pipapo set with low timeouts. To fix this, the dead flag is set for anonymous sets to skip async gc in this case. According to the plans, the abort path will be accelerated by releasing objects via a workqueue.

Recommendations To resolve the issue, upgrade the Linux kernel to version 6.6.28 or later. As a temporary workaround, consider disabling the netfilter nf tables module until a patch is available. Restrict access to the vulnerable nf tables module to minimize the risk of exploitation.