PT-2024-36946 · Linux+3 · Linux Kernel+3
Published
2024-11-27
·
Updated
2025-06-16
·
CVE-2024-56638
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.74
Description
The issue concerns incorrect percpu area handling under softirq in the netfilter component of the Linux kernel. Softirq can interrupt an ongoing packet from process context that is walking over the percpu area containing inner header offsets. To address this, three checks are performed before restoring the percpu inner header offsets to validate the percpu area's validity for the skbuff:
- checking if the
NFT PKTINFO INNER FULLflag is set, - validating the percpu area refers to the skbuff using the skbuff pointer as a cookie, and
- validating if the percpu area refers to the tunnel type.
Recommendations
For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the
nft inner functionality until a patch is available. Restrict access to the vulnerable netfilter module to minimize the risk of exploitation. Avoid using the NFT PKTINFO INNER FULL flag in affected API endpoints until the issue is resolved.Exploit
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Linux Kernel
Suse
Ubuntu