CVE-2024-35899: netfilter: nf_tables: flush pending destroy work before exit_net release

Published May 19, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: flush pending destroy work before exitnet release

Similar to 2c9f0293280e ("netfilter: nftables: flush pending destroy work before netlink notifier") to address a race between exitnet and the destroy workqueue.

The trace below shows an element to be released via destroy workqueue while exitnet path (triggered via module removal) has already released the set that is used in such transaction.

[ 1360.547789] BUG: KASAN: slab-use-after-free in nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nftablestransdestroywork [nftables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dumpstacklvl+0x53/0x70 [ 1360.548014] printreport+0xc4/0x610 [ 1360.548026] ? virtaddrvalid+0xba/0x160 [ 1360.548040] ? pfxrawspinlockirqsave+0x10/0x10 [ 1360.548054] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548176] kasanreport+0xae/0xe0 [ 1360.548189] ? nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548312] nftablestransdestroywork+0x3f5/0x590 [nftables] [ 1360.548447] ? pfxnftablestransdestroywork+0x10/0x10 [nftables] [ 1360.548577] ? rawspinunlockirq+0x18/0x30 [ 1360.548591] processonework+0x2f1/0x670 [ 1360.548610] workerthread+0x4d3/0x760 [ 1360.548627] ? pfxworkerthread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? pfxkthread+0x10/0x10 [ 1360.548665] retfromfork+0x2f/0x50 [ 1360.548679] ? pfxkthread+0x10/0x10 [ 1360.548690] retfromforkasm+0x1a/0x30 [ 1360.548707] </TASK>

[ 1360.548719] Allocated by task 192061: [ 1360.548726] kasansavestack+0x20/0x40 [ 1360.548739] kasansavetrack+0x14/0x30 [ 1360.548750] kasankmalloc+0x8f/0xa0 [ 1360.548760] kmallocnode+0x1f1/0x450 [ 1360.548771] nftablesnewset+0x10c7/0x1b50 [nftables] [ 1360.548883] nfnetlinkrcvbatch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlinkrcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlinkunicast+0x367/0x4f0 [ 1360.548935] netlinksendmsg+0x34b/0x610 [ 1360.548944] syssendmsg+0x4d4/0x510 [ 1360.548953] syssendmsg+0xc9/0x120 [ 1360.548961] syssendmsg+0xbe/0x140 [ 1360.548971] dosyscall64+0x55/0x120 [ 1360.548982] entrySYSCALL64afterhwframe+0x55/0x5d

[ 1360.548994] Freed by task 192222: [ 1360.548999] kasansavestack+0x20/0x40 [ 1360.549009] kasansavetrack+0x14/0x30 [ 1360.549019] kasansavefreeinfo+0x3b/0x60 [ 1360.549028] poisonslabobject+0x100/0x180 [ 1360.549036] kasanslabfree+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] nftreleasetable+0x473/0x6a0 [nftables] [ 1360.549131] nftablesexitnet+0x170/0x240 [nftables] [ 1360.549221] opsexitlist+0x50/0xa0 [ 1360.549229] freeexitlist+0x101/0x140 [ 1360.549236] unregisterpernetoperations+0x107/0x160 [ 1360.549245] unregisterpernetsubsys+0x1c/0x30 [ 1360.549254] nftablesmoduleexit+0x43/0x80 [nftables] [ 1360.549345] dosysdeletemodule+0x253/0x370 [ 1360.549352] dosyscall64+0x55/0x120 [ 1360.549360] entrySYSCALL64afterhwframe+0x55/0x5d

(gdb) list nftreleasetable+0x473 0x1e033 is in nftreleasetable (net/netfilter/nftablesapi.c:11354). 11349 listforeachentrysafe(flowtable, nf, &table->flowtables, list) { 11350 listdel(&flowtable->list); 11351 nftusedec(&table->use); 11352 nftablesflowtabledestroy(flowtable); 11353 } 11354 listforeachentrysafe(set, ns, &table->sets, list) { 11355 listdel(&set->list); 11356 nftusedec(&table->use); 11357 if (set->flags & (NFTSETMAP | NFTSETOBJECT)) 11358 nftmapdeactivat ---truncated---

Other sources

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: flush pending destroy work before exitnet release

The Linux kernel CVE team has assigned CVE-2024-35899 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051951-CVE-2024-35899-c56a@gregkh/T

Red Hat

Linux Kernel is vulnerable to a denial of service, caused by a race condition between exitnet and the destroy workqueue. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Affected Software

21 affected componentsFixes available
redhat/kernel<5.4.274
5.4.274
redhat/kernel<5.10.215
5.10.215
redhat/kernel<5.15.154
5.15.154
redhat/kernel<6.1.85
6.1.85
redhat/kernel<6.6.26
6.6.26
redhat/kernel<6.8.5
6.8.5
redhat/kernel<6.9
6.9
Linux Linux kernel>=4.20<5.4.274
Linux Linux kernel>=5.5<5.10.215
Linux Linux kernel>=5.11<5.15.154
Linux Linux kernel>=5.16<6.1.85
Linux Linux kernel>=6.2<6.6.26
Linux Linux kernel>=6.7<6.8.5
Linux Linux kernel=6.9-rc1
Linux Linux kernel=6.9-rc2
Debian Debian Linux=10.0
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1

Remediation

Patch Available

https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2

Patch Available

https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7

Patch Available

https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31

Patch Available

https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e

Patch Available

https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6

Patch Available

https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86

Patch Available

https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49

Event History

May 19, 2024
CVE Published
via MITRE·08:34 AM
Data Sourced
via MITRE·08:34 AM
Description
Data Sourced
via NVD·09:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
May 20, 2024
Data Sourced
via Red Hat·11:21 AM
DescriptionSeverityAffected Software
Jul 11, 2024
Data Sourced
via Launchpad·07:46 PM
Description
May 5, 2025
Data Sourced
via Ubuntu·12:24 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-35899?

CVE-2024-35899 has a medium severity level due to a race condition in the Linux kernel's netfilter subsystem.

2

What versions of the Linux kernel are affected by CVE-2024-35899?

CVE-2024-35899 affects multiple Linux kernel versions up to 5.4.274, 5.10.215, 5.15.154, 6.1.85, 6.6.26, 6.8.5, 6.9, and specific Debian kernel versions.

3

How do I fix CVE-2024-35899?

To fix CVE-2024-35899, update your Linux kernel to the patched versions provided by your Linux distribution.

4

What components are involved in CVE-2024-35899?

CVE-2024-35899 involves the netfilter subsystem of the Linux kernel and addresses a race condition during network event handling.

5

Is CVE-2024-35899 being actively exploited?

As of now, there is no public evidence suggesting that CVE-2024-35899 is being actively exploited in the wild.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203