CVE-2024-27018 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
netfilter: br_netfilter: skip conntrack input hook for promisc packets
For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets.
Jianbo Liu reports warning splats in their test infrastructure where cloned packets reach the br_netfilter input hook to confirm the conntrack object.
Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has reached the input hook because it is passed up to the bridge device to reach the taps.
[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]
[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core
[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19
[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]
[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1
[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202
[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000
[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000
[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003
[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000
[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800
[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000
[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0
[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000 [ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400 [ 57.585440] Call Trace:
[ 57.585721]
[ 57.585976] ? __warn+0x7d/0x130
[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]
[ 57.586811] ? report_bug+0xf1/0x1c0
[ 57.587177] ? handle_bug+0x3f/0x70
[ 57.587539] ? exc_invalid_op+0x13/0x60
[ 57.587929] ? asm_exc_invalid_op+0x16/0x20
[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]
[ 57.588825] nf_hook_slow+0x3d/0xd0
[ 57.589188] ? br_handle_vlan+0x4b/0x110
[ 57.589579] br_pass_frame_up+0xfc/0x150
[ 57.589970] ? br_port_flags_change+0x40/0x40
[ 57.590396] br_handle_frame_finish+0x346/0x5e0
[ 57.590837] ? ipt_do_table+0x32e/0x430
[ 57.591221] ? br_handle_local_finish+0x20/0x20
[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]
[ 57.592286] ? br_handle_local_finish+0x20/0x20
[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]
[ 57.593348] ? br_handle_local_finish+0x20/0x20
[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]
[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]
[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]
[ 57.595280] br_handle_frame+0x1f3/0x3d0
[ 57.595676] ? br_handle_local_finish+0x20/0x20
[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0
[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0
[ 57.597017] ? __napi_build_skb+0x37/0x40
[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/07/2026
The vulnerability described in CVE-2024-27018 affects the Linux kernel's netfilter subsystem, specifically within the br_netfilter module that handles bridge network filtering. This issue occurs when a bridge device operates in promiscuous mode, where packets intended for taps are processed through the bridge input hook path. The problem manifests as warning splats in kernel logs indicating that cloned packets are reaching the br_netfilter input hook, which leads to improper handling of connection tracking objects. The technical root cause lies in how the kernel manages packet flow when bridge devices are in promiscuous mode, resulting in a scenario where packets that should bypass certain processing steps instead trigger unnecessary connection tracking operations.
The vulnerability presents a significant risk to network infrastructure stability and security. When packets reach the br_netfilter input hook inappropriately, the kernel's connection tracking mechanism becomes confused, potentially leading to resource exhaustion or incorrect network behavior. This misconfiguration can cause system instability, particularly in environments where bridge devices operate in promiscuous mode, which is common in virtualized environments, network monitoring setups, or complex network topologies. The warning messages in the kernel logs indicate that the system has encountered an unexpected state where connection tracking objects are being processed inappropriately, potentially causing denial of service conditions or data integrity issues.
The operational impact of this vulnerability extends beyond simple system warnings to potentially compromise network security and performance. Systems using bridge devices in promiscuous mode may experience degraded performance due to unnecessary processing of cloned packets through connection tracking hooks. From a security perspective, improper handling of connection tracking can lead to incorrect network behavior that might be exploited by attackers to bypass network controls or cause unexpected packet handling. The vulnerability affects systems running kernel versions that include the br_netfilter module and are configured with bridge devices operating in promiscuous mode, making it particularly relevant in virtualized environments where such configurations are common.
The fix for CVE-2024-27018 addresses this issue by implementing a workaround that resets connection tracking for packets that reach the bridge input hook path in promiscuous mode scenarios. This solution modifies the BR_INPUT_SKB_CB structure to scratch one bit that annotates when a packet has reached the input hook because it was passed up to the bridge device to reach the taps. This change prevents the connection tracking system from processing these packets inappropriately while maintaining the correct network behavior for legitimate traffic. The patch specifically targets the br_netfilter module's handling of packets in promiscuous mode scenarios, ensuring that cloned packets bypass unnecessary connection tracking operations without affecting normal network functionality.
This vulnerability aligns with CWE-1218, which deals with improper handling of network packets in kernel space, and relates to ATT&CK technique T1071.004 for application layer protocol: DNS, as connection tracking errors can impact network protocol handling. The fix represents a targeted approach to address a specific kernel subsystem issue rather than a broad security vulnerability, but its impact on network stability makes it critical for system administrators to apply. Organizations using bridge networking with promiscuous mode should prioritize this patch, particularly in production environments where network reliability is paramount. The solution demonstrates the complexity of kernel networking subsystems and the importance of proper packet flow management in virtualized and bridge-based network configurations.