CVE-2024-27011

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27011
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27011.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-27011
Downstream
Related
Published
2024-05-01T05:29:33Z
Modified
2025-10-15T09:38:13.850009Z
Summary
netfilter: nf_tables: fix memleak in map from abort path
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix memleak in map from abort path

The delete set command does not rely on the transaction object for element removal, therefore, a combination of delete element + delete set from the abort path could result in restoring twice the refcount of the mapping.

Check for inactive element in the next generation for the delete element command in the abort path, skip restoring state if next generation bit has been already cleared. This is similar to the activate logic using the set walk iterator.

[ 6170.286929] ------------[ cut here ]------------ [ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nftablesapi.c:2086 nftableschaindestroy+0x1f7/0x220 [nftables] [ 6170.287071] Modules linked in: [...] [ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365 [ 6170.287768] RIP: 0010:nftableschaindestroy+0x1f7/0x220 [nftables] [ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f [ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202 [ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000 [ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750 [ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55 [ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10 [ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100 [ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000 [ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0 [ 6170.287962] Call Trace: [ 6170.287967] <TASK> [ 6170.287973] ? _warn+0x9f/0x1a0 [ 6170.287986] ? nftableschaindestroy+0x1f7/0x220 [nftables] [ 6170.288092] ? reportbug+0x1b1/0x1e0 [ 6170.287986] ? nftableschaindestroy+0x1f7/0x220 [nftables] [ 6170.288092] ? reportbug+0x1b1/0x1e0 [ 6170.288104] ? handlebug+0x3c/0x70 [ 6170.288112] ? excinvalidop+0x17/0x40 [ 6170.288120] ? asmexcinvalidop+0x1a/0x20 [ 6170.288132] ? nftableschaindestroy+0x2b/0x220 [nftables] [ 6170.288243] ? nftableschaindestroy+0x1f7/0x220 [nftables] [ 6170.288366] ? nftableschaindestroy+0x2b/0x220 [nftables] [ 6170.288483] nftablestransdestroywork+0x588/0x590 [nftables]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
591054469b3eef34bc097c30fae8ededddf8d796
Fixed
a1bd2a38a1c6388fc8556816dc203c3e9dc52237
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
591054469b3eef34bc097c30fae8ededddf8d796
Fixed
49d0e656d19dfb2d4d7c230e4a720d37b3decff6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
591054469b3eef34bc097c30fae8ededddf8d796
Fixed
86a1471d7cde792941109b93b558b5dc078b9ee9

Affected versions

v4.*

v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7

v5.*

v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.9-rc1
v6.9-rc2
v6.9-rc3

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 4972.0,
                "function_hash": "78654358895170777360131503341502971955"
            },
            "target": {
                "function": "__nf_tables_abort",
                "file": "net/netfilter/nf_tables_api.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49d0e656d19dfb2d4d7c230e4a720d37b3decff6",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-27011-370a4970"
        },
        {
            "digest": {
                "line_hashes": [
                    "203586936109444366242071767007423245183",
                    "178642018270440795901829290312295202283",
                    "282706211143415985321365995232007308570",
                    "157469826022740997229745069981359550591",
                    "97724755681747258073015841018807206253",
                    "194629696323396599842659395911569206892",
                    "294825549666935757080135386190083696406",
                    "8948517610827777679222857840344161570"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "net/netfilter/nf_tables_api.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49d0e656d19dfb2d4d7c230e4a720d37b3decff6",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-27011-6e039538"
        },
        {
            "digest": {
                "line_hashes": [
                    "203586936109444366242071767007423245183",
                    "178642018270440795901829290312295202283",
                    "42809194307549414420072357987125348913",
                    "292894651474677907334922381648652875696",
                    "271640077213380045136982822705518745744",
                    "228541641654769868990418513769269751108",
                    "51665827376134223094294190416743101053",
                    "270876326490103611067795432907298666207"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "net/netfilter/nf_tables_api.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a1bd2a38a1c6388fc8556816dc203c3e9dc52237",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-27011-7f774145"
        },
        {
            "digest": {
                "length": 5124.0,
                "function_hash": "162438593612011753918359045499906186802"
            },
            "target": {
                "function": "__nf_tables_abort",
                "file": "net/netfilter/nf_tables_api.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@86a1471d7cde792941109b93b558b5dc078b9ee9",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-27011-a3a89030"
        },
        {
            "digest": {
                "length": 4957.0,
                "function_hash": "31328192555482988282204398979086776288"
            },
            "target": {
                "function": "__nf_tables_abort",
                "file": "net/netfilter/nf_tables_api.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a1bd2a38a1c6388fc8556816dc203c3e9dc52237",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-27011-a8a551ca"
        },
        {
            "digest": {
                "line_hashes": [
                    "203586936109444366242071767007423245183",
                    "178642018270440795901829290312295202283",
                    "282706211143415985321365995232007308570",
                    "157469826022740997229745069981359550591",
                    "97724755681747258073015841018807206253",
                    "194629696323396599842659395911569206892",
                    "294825549666935757080135386190083696406",
                    "8948517610827777679222857840344161570"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "net/netfilter/nf_tables_api.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@86a1471d7cde792941109b93b558b5dc078b9ee9",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-27011-c9168bf7"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.12.0
Fixed
6.6.55
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.8