CVE-2024-50256 in Linux
الملخص
بحسب VulDB • 28/05/2026
Based on the stack trace provided, here is an analysis of the issue:
### **Summary** This is a **kernel crash (Oops/Panic)** occurring in the **Netfilter subsystem**, specifically within the **`nft_reject_inet`** module. The crash happens while processing an IPv6 packet that was injected into the bridge netfilter path via a TUN/TAP device.
---
### **Key Components in the Stack Trace**
1. **Crash Location**: ``` net/netfilter/nft_reject_inet.c:48 ``` - The crash occurs in the `nft_reject_inet` expression evaluation. - Line 48 likely corresponds to code that constructs or sends a reject packet (e.g., ICMPv6 unreachable or TCP RST).
2. **Call Chain**: - **User Space**: `tun_chr_write_iter` → `tun_get_user` → `tun_rx_batched` - A user-space application wrote data to a TUN/TAP device. - **Network Stack**: `netif_receive_skb` → `br_handle_frame` - The packet was received by the kernel and passed to the bridge subsystem. - **Netfilter (Bridge IPv6)**: `br_nf_pre_routing_ipv6` - The bridge netfilter hook for IPv6 was triggered. - **Netfilter Core**: `nft_do_chain_inet` → `nft_do_chain` → `expr_call_ops_eval` - The packet matched an `nftables` rule in the `inet` family (which handles both IPv4 and IPv6). - **Reject Action**: `nft_reject_inet` - The rule specified a `reject` verdict. The kernel attempted to generate a reject response.
3. **Register State**: - `RAX: ffffffffffffffda` → This is `-22` in signed 64-bit integer, which corresponds to **`-EINVAL`** (Invalid argument). - This suggests that a function returned an error code, but the code did not handle it properly, or a pointer was invalid.
---
### **Likely Cause**
The crash is likely due to a **null pointer dereference** or **invalid memory access** in `nft_reject_inet.c` at line 48. Common causes in this context include:
1. **Missing or Invalid `skb` Context**: - The `nft_reject_inet` module may be trying to access fields in the `sk_buff` (`skb`) that are not properly initialized for the specific packet type (e.g., IPv6 over bridge).
2. **Protocol Mismatch**: - The `inet` family handles both IPv4 and IPv6. If the code assumes a specific protocol header structure (e.g., IPv6 extension headers) that is not present, it may crash.
3. **Race Condition or Use-After-Free**: - If the `skb` or related structures were freed or modified concurrently, accessing them could lead to a crash.
4. **Bug in `nft_reject_inet`**: - This is a known area for bugs in older kernels. The `nft_reject_inet` module has had issues with handling certain packet types or edge cases in bridge/netfilter interactions.
---
### **Recommended Actions**
1. **Update the Kernel**: - This issue may have been fixed in newer kernel versions. Check if your kernel version is up-to-date. - Look for commits related to `nft_reject_inet` or `br_nf_pre_routing_ipv6` in the Linux kernel git log.
2. **Workaround**: - **Avoid using `nft_reject` in `inet` family rules for bridge traffic**: - Use `nft_reject` in the `ip` or `ip6` families instead of `inet` if you are dealing with bridge traffic. - Example: ```nft table ip filter {
chain input {
type filter hook input priority 0; policy accept; iifname "br0" reject; # Use 'ip' family for IPv4 } } table ip6 filter {
chain input {
type filter hook input priority 0; policy accept; iifname "br0" reject; # Use 'ip6' family for IPv6 } } ``` - **Disable Netfilter on Bridge**: - If netfilter is not strictly needed on the bridge, you can disable it by setting: ```bash sysctl -w net.bridge.bridge-nf-call-
If you want to get the best quality for vulnerability data then you always have to consider VulDB.