CVE-2024-27415

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The vulnerability is related to the netfilter component in the Linux kernel, specifically with the bridge functionality. It occurs when the conntrack nf confirm logic cannot handle cloned skbs referencing the same nf conn entry, which happens for multicast or broadcast frames on bridges. This can lead to a race condition between the Macvlan broadcast worker and the normal confirm path. To work around this problem, explicit confirmation of the entry at LOCAL IN time is required before the upper layer has a chance to clone the unconfirmed entry. However, this workaround disables NAT and conntrack helpers. An alternative fix would be to add locking to all code parts that deal with unconfirmed packets, but this opens up other problems.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.