In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: set dormant flag on hook register failure
We need to set the dormant flag again if we fail to register the hooks.
During memory pressure hook registration can fail and we end up with a table marked as active but no registered hooks.
On table/base chain deletion, nf_tables will attempt to unregister the hook again which yields a warn splat from the nftables core.
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6411f3c48f991c19aaf9a24fce36865fbba28d7", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-0a8ffebd" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@664264a5c55bf97a9c571c557d477b75416199be", "deprecated": false, "digest": { "length": 1358.0, "function_hash": "157624459052985143852082903429746174938" }, "id": "CVE-2024-26835-0f852f17" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6411f3c48f991c19aaf9a24fce36865fbba28d7", "deprecated": false, "digest": { "length": 1199.0, "function_hash": "314387962101168494861526206911077257749" }, "id": "CVE-2024-26835-1daf8b4d" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae4360cbd385f0d7a8a86d5723e50448cc6318f3", "deprecated": false, "digest": { "length": 1199.0, "function_hash": "314387962101168494861526206911077257749" }, "id": "CVE-2024-26835-1ef1515a" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6f2496366426cec18ba53f1c7f6c3ac307ca6a95", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-244b838d" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bccebf64701735533c8db37773eeacc6566cc8ec", "deprecated": false, "digest": { "length": 1358.0, "function_hash": "157624459052985143852082903429746174938" }, "id": "CVE-2024-26835-24c42e1a" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae4360cbd385f0d7a8a86d5723e50448cc6318f3", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-35bd33e2" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c9302a6da262e6ab6a6c1d30f04a6130ed97376", "deprecated": false, "digest": { "length": 1358.0, "function_hash": "157624459052985143852082903429746174938" }, "id": "CVE-2024-26835-37b58417" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6f2496366426cec18ba53f1c7f6c3ac307ca6a95", "deprecated": false, "digest": { "length": 1358.0, "function_hash": "157624459052985143852082903429746174938" }, "id": "CVE-2024-26835-462a2c2f" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c9302a6da262e6ab6a6c1d30f04a6130ed97376", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-5b075ecb" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31ea574aeca1aa488e18716459bde057217637af", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-784c4f45" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31ea574aeca1aa488e18716459bde057217637af", "deprecated": false, "digest": { "length": 1199.0, "function_hash": "314387962101168494861526206911077257749" }, "id": "CVE-2024-26835-7f8a5244" }, { "signature_version": "v1", "target": { "function": "nf_tables_updtable", "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f2135bbf14949687e96cabb13d8a91ae3deb9069", "deprecated": false, "digest": { "length": 1358.0, "function_hash": "157624459052985143852082903429746174938" }, "id": "CVE-2024-26835-833911b6" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f2135bbf14949687e96cabb13d8a91ae3deb9069", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-ba9b2f06" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bccebf64701735533c8db37773eeacc6566cc8ec", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-c7702293" }, { "signature_version": "v1", "target": { "file": "net/netfilter/nf_tables_api.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@664264a5c55bf97a9c571c557d477b75416199be", "deprecated": false, "digest": { "line_hashes": [ "289363562754379897366750245509186448499", "314196122392329421803411143933538718126", "241397932790818689196147954515884370561", "73279023140974104737352957229112143666" ], "threshold": 0.9 }, "id": "CVE-2024-26835-caaea4b8" } ] }