CVE-2024-35898: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: Fix potential data-race in nftflowtabletypeget()
nftunregisterflowtabletype() within nfflowinetmoduleexit() can concurrent with nftflowtabletypeget() within nftablesnewflowtable(). And thhere is not any protection when iterate over nftablesflowtables list in nftflowtabletypeget(). Therefore, there is pertential data-race of nftablesflowtables list entry.
Use listforeachentryrcu() to iterate over nftablesflowtables list in nftflowtabletypeget(), and use rcureadlock() in the caller nftflowtabletypeget() to protect the entire type query process.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: Fix potential data-race in nftflowtabletypeget()
The Linux kernel CVE team has assigned CVE-2024-35898 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051951-CVE-2024-35898-a10e@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-35898?
CVE-2024-35898 has been classified with a medium severity level due to its potential to cause data races in the Linux kernel.
How do I fix CVE-2024-35898?
To fix CVE-2024-35898, update your Linux kernel to one of the patched versions: 4.19.312, 5.4.274, 5.10.215, 5.15.154, 6.1.85, 6.6.26, 6.8.5, or 6.9.
Which Linux distributions are affected by CVE-2024-35898?
CVE-2024-35898 affects various versions of the Linux kernel used in Red Hat and Debian distributions.
What components are impacted by CVE-2024-35898?
CVE-2024-35898 specifically impacts the netfilter subsystem within the Linux kernel.
Is CVE-2024-35898 a remote vulnerability?
CVE-2024-35898 is not categorized as a remote vulnerability, but it involves potential data races that could affect system stability.