CVE-2024-56655

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74

Description The issue is related to the netfilter component of the Linux kernel, specifically with the nf tables subsystem. The problem arises when the nf tables chain destroy function is used from call rcu callbacks, which can cause it to sleep and lead to issues. Additionally, the nf tables rule release function is only safe for error unwinding when the transaction mutex is held, and the rule to be destroyed has not been exposed to the dataplane or dumps. The nft rule expr deactivate callbacks can change the use counters of other chains or sets, which must be serialized via the transaction mutex. The synchronize rcu function is used to address this issue, but it is not ideal and may need to be revisited in the future.

Recommendations For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the nf tables chain destroy function until a patch is available. Restrict access to the nf tables subsystem to minimize the risk of exploitation. Avoid using the nft rule expr deactivate callbacks in the affected API endpoints until the issue is resolved.