CVE-2024-26643 Overview
CVE-2024-26643 is a race condition vulnerability in the Linux kernel's netfilter nf_tables subsystem. The vulnerability exists in the handling of anonymous sets with timeouts, where the rhashtable set garbage collector (gc) runs asynchronously and can collect elements from anonymous sets while they are being released from the commit path. This race condition can lead to denial of service conditions on affected systems.
Critical Impact
Local attackers with low privileges can exploit this race condition to cause system instability or denial of service by triggering improper garbage collection of nf_tables set elements.
Affected Products
- Linux Kernel (multiple versions)
- Debian Linux 10.0
- Systems running netfilter nf_tables with anonymous sets and timeouts
Discovery Timeline
- 2024-03-21 - CVE-2024-26643 published to NVD
- 2025-03-13 - Last updated in NVD database
Technical Details for CVE-2024-26643
Vulnerability Analysis
This vulnerability resides in the Linux kernel's netfilter nf_tables implementation, specifically in how anonymous sets with timeouts are handled during the unbinding process. The core issue is a race condition (CWE-667: Improper Locking) between two concurrent operations: the asynchronous rhashtable garbage collector and the commit path that releases anonymous sets.
When an anonymous set with a timeout configuration is being released through the commit path, the asynchronous garbage collector may simultaneously attempt to collect elements from that same set. This creates a window where the garbage collector can access set elements that are in an inconsistent state, potentially leading to system instability.
The vulnerability was originally reported by Mingi Cho in a different path on Linux kernel version 6.1.x using a pipapo set with low timeouts. While the specific upstream path was addressed in commit 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"), the underlying race condition in the anonymous set handling remained exploitable.
Root Cause
The root cause stems from missing synchronization between the garbage collection mechanism and the set unbinding process. When anonymous sets with timeouts are being released, the code did not properly mark these sets to prevent the asynchronous garbage collector from attempting to process them. This absence of a "dead" flag check allowed the garbage collector to race with the release operation.
The fix introduces a dead flag that is set on anonymous sets during unbinding. This flag signals to the asynchronous garbage collector to skip processing of sets that are in the process of being released. Additionally, this flag is also set during the abort path, as future plans include accelerating the abort path by releasing objects via workqueue, which would expose the same race condition.
Attack Vector
The attack requires local access to the system with low privileges. An attacker would need the ability to interact with the netfilter subsystem, specifically creating and manipulating nf_tables rules with anonymous sets configured with short timeouts. By carefully timing the creation and destruction of these sets, an attacker could trigger the race condition.
The exploitation scenario involves:
- Creating nf_tables rules with anonymous sets that have timeout configurations
- Rapidly unbinding these sets to trigger the commit path release
- Timing the operations to coincide with the garbage collector's asynchronous execution
- Exploiting the race window to cause the garbage collector to access invalid memory states
While this vulnerability does not allow for code execution or information disclosure, successful exploitation results in denial of service through system crashes or kernel panics.
Detection Methods for CVE-2024-26643
Indicators of Compromise
- Unexpected kernel panics or system crashes related to netfilter operations
- Kernel log messages indicating nf_tables or netfilter subsystem errors
- System instability when manipulating firewall rules with timeout configurations
- Stack traces referencing nf_tables garbage collection functions
Detection Strategies
- Monitor kernel logs for panic messages or oops referencing nf_tables subsystem components
- Implement audit rules for netfilter table creation and modification operations
- Use kernel tracing to monitor rhashtable garbage collection activities
- Deploy runtime verification tools to detect race conditions in kernel operations
Monitoring Recommendations
- Enable and review kernel panic logs and crash dumps for nf_tables-related failures
- Configure alerting for system instability patterns on critical infrastructure
- Monitor netfilter configuration changes and correlate with system stability events
- Implement host-based intrusion detection to track firewall rule manipulation patterns
How to Mitigate CVE-2024-26643
Immediate Actions Required
- Update the Linux kernel to a patched version immediately on all affected systems
- Review and restrict access to netfilter/nf_tables administration capabilities
- Monitor systems for signs of instability or attempted exploitation
- Consider temporary workarounds if immediate patching is not feasible
Patch Information
The Linux kernel development team has released patches across multiple stable kernel branches. The fix sets the dead flag on anonymous sets during unbinding to prevent the asynchronous garbage collector from racing with the release operation.
Patched versions are available through the following kernel commits:
- Kernel Commit 291cca3
- Kernel Commit 406b024
- Kernel Commit 5224afc
- Kernel Commit 552705a
- Kernel Commit b2d6f9a
- Kernel Commit d75a589
- Kernel Commit e2d45f4
- Kernel Commit edcf1a3
Debian users should refer to the Debian LTS Security Announcement for distribution-specific updates.
Workarounds
- Restrict access to netfilter administration interfaces to trusted users only
- Avoid using anonymous sets with timeout configurations until patching is complete
- Implement namespace isolation to limit exposure to the vulnerable subsystem
- Consider using alternative firewall configurations that do not rely on nf_tables timeout features
# Restrict netfilter administration to root only
# Verify current CAP_NET_ADMIN assignments
getcap /sbin/iptables
getcap /sbin/nft
# Review users with netfilter access
grep -E 'CAP_NET_ADMIN|CAP_SYS_ADMIN' /etc/security/capability.conf
# Limit nftables access through systemd service hardening
# Add to service unit file:
# CapabilityBoundingSet=~CAP_NET_ADMIN
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
