An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAPNETADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36694.json"
[
{
"id": "CVE-2020-36694-1b85a5ee",
"target": {
"function": "do_add_counters",
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "287806720850193310016503636261521888800",
"length": 890.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-1c4f0683",
"target": {
"function": "compat_copy_entries_to_user",
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "26345684027643892511977119468421735097",
"length": 492.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-223462e2",
"target": {
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"218907640642858146468316798862913717950",
"148102864186220767147187230851625460921",
"269242878181005893800994882649086766035",
"277775902221534574768067311158564953445",
"306996741637776917780416916867164949546",
"329885426030342522094873091818967834684",
"286494198521870312704521161251917854314",
"180996007242692325163058268885913888712",
"45341736026291327007827686543079162219",
"66803124862983355484523719333330657921",
"258303870844208751487534199398742037909",
"298838509672281399234089763798576015471",
"40853164468490565747250255362401831652",
"263590980728349649845443847243586027407",
"120830856864242101774128820438382331634",
"79090915176140027850303211537927118314",
"17525996651526063926610410502414849690",
"4889613954424806638611598887136197369",
"40903778361750019305317011287452845357",
"6892502737492893123982128582448700212",
"283289952947100093001124524789414732599",
"302986072416130171433139005642214307153",
"81171078623702157915337134994328481364",
"47822500734089955274493026559767933664",
"237370407275048885521932298468785647248",
"139811955588174456482779019188826471287",
"280277581179509506320095247179219689447",
"19391989884341360802334285943969631321"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2020-36694-31a5ec64",
"target": {
"function": "get_entries",
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "280058084459510629174813517534675823468",
"length": 679.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-4138b7a7",
"target": {
"file": "include/linux/netfilter/x_tables.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"4107535753937264465087124162071053641",
"138290195788118366961422361626342408996",
"212174451327004456633784788283009602084",
"55880094584474203217991230667671040229",
"91101179167335928617784910894544501712",
"223296837173404177619604792569544529284",
"133072482170029588215332698749234047684"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2020-36694-42e43d88",
"target": {
"function": "compat_copy_entries_to_user",
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "26345684027643892511977119468421735097",
"length": 492.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-48186d00",
"target": {
"function": "alloc_counters",
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "31520430789673299605847685196706075441",
"length": 275.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-50d0f0d8",
"target": {
"function": "get_entries",
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "262404261464103066263185631172279070611",
"length": 670.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-52b44e68",
"target": {
"function": "alloc_counters",
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "31520430789673299605847685196706075441",
"length": 275.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-53f7ef17",
"target": {
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"218907640642858146468316798862913717950",
"148102864186220767147187230851625460921",
"269242878181005893800994882649086766035",
"316140752993487959946012306046789848836",
"306996741637776917780416916867164949546",
"329885426030342522094873091818967834684",
"286494198521870312704521161251917854314",
"180996007242692325163058268885913888712",
"320857405649760881714809019854190026445",
"137327825708221162354769985959476927966",
"258303870844208751487534199398742037909",
"298838509672281399234089763798576015471",
"24340971585705299631410153597803719636",
"31726463557268884377974746487992775468",
"166389751354913855385724702482904724434",
"79090915176140027850303211537927118314",
"167971819385877304019149304493042266830",
"185579038395937967694931412737027209205",
"131729938813612960332298020505715947047",
"321416839788770595891701957448962101320",
"283289952947100093001124524789414732599",
"302986072416130171433139005642214307153",
"81171078623702157915337134994328481364",
"47822500734089955274493026559767933664",
"237370407275048885521932298468785647248",
"139811955588174456482779019188826471287",
"280277581179509506320095247179219689447",
"19391989884341360802334285943969631321"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2020-36694-7b74e24b",
"target": {
"function": "get_info",
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "149372080482605568713524435806926155008",
"length": 1219.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-7d54c3a5",
"target": {
"function": "get_entries",
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "236307217106387847536621778854684207474",
"length": 675.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-8879311a",
"target": {
"function": "xt_replace_table",
"file": "net/netfilter/x_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "53849511800639459620147079595466992389",
"length": 898.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-88ec4a7f",
"target": {
"function": "xt_unregister_table",
"file": "net/netfilter/x_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "43980771138927085813487645238199012437",
"length": 323.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-890d6e32",
"target": {
"function": "copy_entries_to_user",
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "173126178873226562001506615183210341639",
"length": 861.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-956bc38d",
"target": {
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"28188808051565455663139204913383132533",
"148102864186220767147187230851625460921",
"269242878181005893800994882649086766035",
"274018456928653587932604227993817645238",
"306996741637776917780416916867164949546",
"329885426030342522094873091818967834684",
"286494198521870312704521161251917854314",
"180996007242692325163058268885913888712",
"175536995777423094592270965850834449893",
"10029155545848331159815540582150176034",
"191814362690674668514303700963724588759",
"37815055060649365577455411798167870601",
"145354812426239721018753366632643375187",
"149849314849256050482398209815070454566",
"99356792036543020937190525462296037865",
"79090915176140027850303211537927118314",
"143458345752846981706763797418080226860",
"109592524452002352837724647592337732982",
"131729938813612960332298020505715947047",
"321416839788770595891701957448962101320",
"283289952947100093001124524789414732599",
"302986072416130171433139005642214307153",
"81171078623702157915337134994328481364",
"47822500734089955274493026559767933664",
"237370407275048885521932298468785647248",
"139811955588174456482779019188826471287",
"280277581179509506320095247179219689447",
"19391989884341360802334285943969631321"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2020-36694-962323a1",
"target": {
"function": "get_info",
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "149027289233139215870231144512557371952",
"length": 1215.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-993f05b3",
"target": {
"function": "compat_copy_entries_to_user",
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "26345684027643892511977119468421735097",
"length": 492.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-abfcdaf9",
"target": {
"function": "copy_entries_to_user",
"file": "net/ipv4/netfilter/ip_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "261100668994555143864682472324324924885",
"length": 1113.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-bebceed6",
"target": {
"function": "do_add_counters",
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "68033497468904872873813085505605652593",
"length": 891.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-c018feb1",
"target": {
"file": "net/netfilter/x_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"186424058271595603946963252080456843775",
"213979241682001519439812143864436324499",
"223635279337991471254116197579706953728",
"41415479824379880465762924051063047605",
"74611344168530105469462289379911558997",
"319872270320724510929538044745514603873",
"138546912225457399397365554783096591000",
"306376122400906856163111978909534900019",
"36240972496324311852097729599157955704",
"56882845332108004700065142628525360424",
"230539481089177748789971215729070646846",
"78499254526449308264370775282617098672",
"11755130920558741964528483367076072077",
"210146039441909243510350266369285977161",
"256194873525963361712316027959918020533",
"20953126662145770453186483476942278843",
"83793859196300205505033236811546277568",
"61369149105624300132649596500626462028",
"3914444633268796098934705917379740552",
"158479664952532688857792864336934085673",
"209339205680830568272816216218137821854",
"104528233649640731880035866039954157947",
"201434613710959153110545190444842736057",
"212572634420532530254611313050015268886",
"49442372159378665253228291673316864456",
"240084686726590176520729297897063276767",
"25726175423835831159778461838660961044",
"59324350534236857608765762412994651031",
"189466778567241628480240189099790044638",
"12452650826774814574004738951645311754",
"221165537159608997383260963846426778965",
"282330053024021510458203818152784891151",
"36180487267837202016019035491507626338",
"13499428141867049026713618973525185801",
"24818645104257555664099487130846381078",
"48106730506616852268102587467410139132",
"210598909204149090164286845522006723073",
"262598454394804946153054997612000933980",
"62164303559380808716205915257299208698",
"159698639776280150866541540012897476805",
"320524099650391762642450209158678800426",
"98389044965375715241546878395633913582",
"200193991467516765014718000536341524363",
"55819498940674033139174602249215420946",
"106250556266448649967756820658794360619"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2020-36694-c0ba7f31",
"target": {
"function": "get_info",
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "132345941612480520098943066852181760050",
"length": 1231.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-cbfe1ced",
"target": {
"function": "do_add_counters",
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "209148685202284534671902789680918745910",
"length": 894.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-e7ce3376",
"target": {
"function": "xt_register_table",
"file": "net/netfilter/x_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "48426516184708819712565162465850447411",
"length": 879.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-e98b2c60",
"target": {
"function": "alloc_counters",
"file": "net/ipv4/netfilter/arp_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "31520430789673299605847685196706075441",
"length": 275.0
},
"signature_type": "Function"
},
{
"id": "CVE-2020-36694-ef9de6c8",
"target": {
"function": "copy_entries_to_user",
"file": "net/ipv6/netfilter/ip6_tables.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@cc00bcaa589914096edef7fb87ca5cee4a166b5c",
"digest": {
"function_hash": "261100668994555143864682472324324924885",
"length": 1113.0
},
"signature_type": "Function"
}
]