CVE-2024-49952 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: prevent nf_skb_duplicated corruption

syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write per-cpu variable nf_skb_duplicated in an unsafe way [1].

Disabling preemption as hinted by the splat is not enough, we have to disable soft interrupts as well.

[1]
BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 NF_HOOK_COND include/linux/netfilter.h:302 [inline]
ip_output+0x185/0x230 net/ipv4/ip_output.c:433 ip_local_out net/ipv4/ip_output.c:129 [inline]
ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline]
__sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline]
__se_sys_sendmmsg net/socket.c:2763 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4ce4f7def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/18/2026

The vulnerability identified as CVE-2024-49952 resides within the Linux kernel's netfilter subsystem, specifically affecting the nf_tables framework responsible for packet filtering and manipulation. This flaw manifests in the unsafe handling of per-cpu variables during packet duplication operations, particularly within the nf_dup_ipv4() and nf_dup_ipv6() functions. The issue stems from improper synchronization mechanisms when accessing the nf_skb_duplicated variable, which is a critical component in tracking packet duplication status across different CPU cores. The vulnerability was discovered through automated fuzzing by syzbot, which identified a race condition that could lead to memory corruption and system instability.

The technical root cause of this vulnerability lies in the improper use of per-cpu variable access functions within preemptible kernel code contexts. The system call trace reveals that nf_dup_ipv4() function invokes __this_cpu_write() in a context that is not properly protected against concurrent access, leading to potential data corruption. The kernel's warning message indicates that the code path was executing in a preemptible context, yet it attempted to write to a per-cpu variable without the necessary interrupt disabling mechanisms. This type of flaw is classified under CWE-362, which deals with race conditions, and specifically represents a concurrency issue in kernel space. The vulnerability demonstrates a failure to properly synchronize access to shared kernel data structures, which is a fundamental requirement for kernel-level memory safety.

The operational impact of CVE-2024-49952 extends beyond simple memory corruption, as it can lead to system crashes, data loss, and potentially privilege escalation if exploited by malicious actors. When the nf_skb_duplicated variable becomes corrupted, it can cause incorrect packet handling decisions within the netfilter framework, leading to packets being dropped, duplicated, or processed incorrectly. This can severely impact network connectivity and service availability on affected systems. The vulnerability affects systems running Linux kernel versions where the nf_tables subsystem is active and packet duplication functionality is utilized, particularly in environments where network filtering rules involving duplication are in place. Attackers could potentially leverage this vulnerability to cause denial of service conditions or gain unauthorized access to network resources through carefully crafted packet sequences.

Mitigation strategies for CVE-2024-49952 require immediate kernel updates to versions that contain the necessary patches addressing the synchronization issues in the nf_dup_ipv4() and nf_dup_ipv6() functions. System administrators should prioritize applying the latest security patches from their respective Linux distributions, as the fix involves proper disabling of both preemption and soft interrupts when accessing per-cpu variables. Additionally, organizations should monitor their network filtering configurations to identify and temporarily disable any rules that utilize packet duplication functionality until the patch is applied. The fix implements a more robust synchronization mechanism that prevents concurrent access to the nf_skb_duplicated variable, aligning with ATT&CK technique T1059.006 for kernel-level privilege escalation and T1499.004 for network disruption. Regular system audits and kernel hardening practices should be enforced to prevent similar concurrency issues from emerging in other kernel subsystems.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00277

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!