In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: Fix suspicious rcudereferenceprotected()
When destroying all sets, we are either in pernet exit phase or are executing a "destroy all sets command" from userspace. The latter was taken into account in ipsetdereference() (nfnetlink mutex is held), but the former was not. The patch adds the required check to rcudereferenceprotected() in ipsetdereference().
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@94dd411c18d7fff9e411555d5c662d29416501e4", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "333423406711166378668303983676443825691", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-147ffbe6" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ecd06277a7664f4ef018abae3abd3451d64e7a6", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "333423406711166378668303983676443825691", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-453a1174" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fc09e1ca854bc234e007a56e0f7431f5e2defb5", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "333423406711166378668303983676443825691", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-55d46f60" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@523bed6489e089dd8040e72453fb79da47b144c2", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "333423406711166378668303983676443825691", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-7f0b4d22" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3799d02ae4208af08e81310770d8754863a246a1", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "308690979633614444546122736028944006224", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-84b6955a" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72d9611968867cc4c5509e7708b1507d692b797a", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "333423406711166378668303983676443825691", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-871427ac" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@788d585e62f487bc4536d454937f737b70d39a33", "signature_version": "v1", "target": { "file": "net/netfilter/ipset/ip_set_core.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326574652377410874773892851153546621962", "138755469778921685069520776218250261796", "36614010016123833433507648879656038446", "119997001223198039012025147970635919306", "70959843543171492307528580070181076458", "161214841357101622036904032634644944170", "333423406711166378668303983676443825691", "285138110753696172077747438865828015856", "246172943507347689702502002141160348827", "15664527882070601522295956165258967349", "73967937994562294293921281888255514547" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-40993-d63fdfa4" } ]