CVE-2024-36005 in Linux
Summary
by MITRE • 05/20/2024
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: honor table dormant flag from netdev release event path
Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook.
[524854.857999] ------------[ cut here ]------------
[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260
[...]
[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365
[524854.858869] Workqueue: netns cleanup_net
[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260
[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41
[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246
[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a
[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438
[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34
[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005
[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00
[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000
[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0
[524854.859000] Call Trace:
[524854.859006] <TASK>
[524854.859013] ? __warn+0x9f/0x1a0
[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260
[524854.859044] ? report_bug+0x1b1/0x1e0
[524854.859060] ? handle_bug+0x3c/0x70
[524854.859071] ? exc_invalid_op+0x17/0x40
[524854.859083] ? asm_exc_invalid_op+0x1a/0x20
[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260
[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260
[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]
[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]
[524854.859461] ? packet_notifier+0xb3/0x360
[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40
[524854.859489] ? dcbnl_netdevice_event+0x35/0x140
[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]
[524854.859661] notifier_call_chain+0x7d/0x140
[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability described in CVE-2024-36005 resides within the Linux kernel's netfilter subsystem, specifically in the nf_tables module. This issue manifests as a race condition or improper state handling during network device release events, where the system attempts to unregister a netfilter hook that has already been unregistered. The flaw occurs when a network device is being torn down, triggering a netdev release event path that does not properly account for the table's dormant flag, leading to a kernel panic or system instability.
Technical exploitation of this vulnerability hinges on the improper handling of kernel netfilter table states during device teardown. When a network device is released, the nf_tables subsystem invokes the nf_tables_netdev_event handler, which attempts to unregister hooks without checking if the table is already in a dormant or unregistered state. This oversight results in a double-unregistration attempt, triggering a kernel warning and ultimately a panic. The kernel log output clearly shows the __nf_unregister_net_hook function being called from the netdev release event path, with a stack trace indicating the problematic call sequence from nf_tables_netdev_event to __nf_unregister_net_hook. The crash occurs at RIP address 0x21a in the __nf_unregister_net_hook function, indicating a direct violation of kernel memory management.
The operational impact of this vulnerability is significant as it can lead to system crashes, particularly in environments with dynamic network device management or frequent network interface creation and destruction. Attackers could potentially exploit this by triggering rapid network device events in a controlled manner, causing system instability or denial of service. The vulnerability affects systems running kernel versions that include the problematic nf_tables implementation, particularly those utilizing netfilter for packet filtering and manipulation. The issue is classified under CWE-362, which deals with race conditions, and aligns with ATT&CK technique T1499.004, which covers network denial of service attacks that can cause system instability through kernel-level vulnerabilities. Systems that rely heavily on dynamic network configuration or containerized environments where network interfaces are frequently created and destroyed are most at risk.
Mitigation strategies should focus on applying the patched kernel version that includes the fix for this vulnerability. The resolution involves ensuring that the netdev release event path properly checks for the table dormant flag before attempting to unregister hooks, preventing the double-unregistration scenario. Organizations should also implement monitoring for kernel panic messages related to netfilter subsystems and consider implementing network device lifecycle management policies that minimize rapid device creation and destruction. Additionally, system administrators should ensure that kernel updates are applied promptly to address known vulnerabilities. The fix aligns with best practices for kernel security and follows the principle of least privilege by ensuring proper state management in kernel subsystems. Regular security audits of kernel modules and network filtering configurations can help identify potential race conditions and improper state transitions that could lead to similar vulnerabilities.