CVE-2024-40993 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: Fix suspicious rcu_dereference_protected()
When destroying all sets, we are either in pernet exit phase or are executing a "destroy all sets command" from userspace. The latter was taken into account in ip_set_dereference() (nfnetlink mutex is held), but the former was not. The patch adds the required check to rcu_dereference_protected() in ip_set_dereference().
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/17/2025
The vulnerability described in CVE-2024-40993 represents a critical issue within the Linux kernel's netfilter subsystem, specifically affecting the ipset functionality that manages network packet filtering and classification. This flaw exists in the interaction between the RCU (Read-Copy-Update) mechanism and the ipset data structure management during cleanup operations. The vulnerability stems from an inadequate consideration of execution contexts when performing RCU dereferencing operations, creating potential for memory corruption or system instability. The issue manifests particularly during the cleanup phase when all ipset structures are being destroyed, either through normal pernet module exit procedures or through explicit userspace commands.
The technical root cause involves improper handling of the rcu_dereference_protected() function call within the ipset subsystem. During the destruction of all sets, the kernel must distinguish between two distinct execution contexts: when the system is in the pernet exit phase where RCU grace periods may not be properly managed, and when userspace has issued a specific destroy command where appropriate locking mechanisms are already in place. The existing code correctly handled the userspace command scenario by ensuring proper locking through the nfnetlink mutex, but failed to account for the pernet exit scenario where such protections are not available. This oversight creates a dangerous race condition where RCU-protected data structures may be accessed without proper synchronization guarantees, potentially leading to use-after-free conditions or memory corruption.
The operational impact of this vulnerability extends beyond simple kernel panics or crashes, as it affects the fundamental stability and security of network filtering operations within Linux systems. Systems utilizing ipset for firewalling, traffic control, or network address translation may experience unexpected behavior when the kernel attempts to clean up ipset structures during shutdown or module unloading. Attackers could potentially exploit this vulnerability to cause denial of service conditions or, in more sophisticated scenarios, to escalate privileges by manipulating the kernel's memory management during cleanup operations. The vulnerability particularly affects systems running Linux kernels with netfilter and ipset functionality, which are common in enterprise network infrastructure, routers, and security appliances.
Mitigation strategies for this vulnerability require immediate kernel updates to the patched versions that properly handle the RCU dereference protection in both execution contexts. System administrators should prioritize patching affected systems, particularly those running network filtering services or security applications that rely heavily on ipset functionality. The fix implemented addresses the specific issue by adding proper context checks to the rcu_dereference_protected() call within ip_set_dereference(), ensuring that the function properly validates whether RCU protection is actually available in the current execution context. Organizations should also implement monitoring for unusual kernel behavior or system instability during network service shutdown procedures, as these may indicate exploitation attempts. The vulnerability aligns with CWE-472 and CWE-476 categories related to improper handling of external inputs and improper null pointer dereferences, while potentially mapping to ATT&CK techniques involving privilege escalation and denial of service through kernel-level vulnerabilities.