CVE-2024-26924: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem("00000000") timeout 100 ms ... add_elem("0000000X") timeout 100 ms del_elem("0000000X") <---------------- delete one that was just added ... add_elem("00005000") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)
AI Analysis
Technical Summary
CVE-2024-26924 is a medium-severity vulnerability affecting the Linux kernel's netfilter subsystem, specifically within the nft_set_pipapo component responsible for managing sets of network filtering elements. The vulnerability arises from improper handling of element removal in sets when multiple elements share the same key, particularly under conditions involving rapid add/remove operations with timeouts. The removal process involves two steps: marking an element as inactive in the next generation and then removing it from the set. However, if there are multiple elements with the same key—where one is inactive or timed out—the removal function may incorrectly unmap the wrong element. This leads to a stale pointer scenario where a deactivated element remains reachable in the data structure, causing potential use-after-free conditions and kernel crashes when the stale element is accessed during lookups. The root cause is a missing verification that the key fully matches the element marked inactive before removal, which the patch addresses by adding this check and a bug trap to prevent removal of invisible or non-existent elements. The vulnerability is identified as CWE-476 (NULL Pointer Dereference) and has a CVSS 3.1 base score of 5.9, reflecting a network attack vector with high attack complexity, no privileges or user interaction required, and an impact limited to availability (kernel crashes). No known exploits are currently reported in the wild. The affected versions correspond to specific Linux kernel commits prior to the fix published in April 2024.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with netfilter sets configured in environments that perform rapid, back-to-back add/remove operations on network filtering elements. The impact is a denial-of-service condition due to kernel crashes, which can disrupt critical network functions, firewall operations, or other security controls relying on nftables. This can lead to temporary loss of availability of network services, impacting business continuity, especially in sectors relying heavily on Linux-based infrastructure such as telecommunications, cloud service providers, and critical infrastructure operators. While the vulnerability does not directly compromise confidentiality or integrity, the resulting instability could be exploited as part of a broader attack chain to degrade defenses or cause operational disruptions. Given the medium severity and absence of known exploits, the immediate risk is moderate but warrants timely patching to prevent potential exploitation in complex network environments.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions containing the fix for CVE-2024-26924. Specifically, they should apply the latest stable kernel releases or backported patches from their Linux distribution vendors that address the nft_set_pipapo removal logic. Network administrators should audit nftables configurations to identify sets with high-frequency add/remove operations and consider temporarily reducing such operations or implementing rate limiting until patches are applied. Monitoring kernel logs for KASAN (Kernel Address Sanitizer) splats or related crash signatures can help detect attempts to trigger this vulnerability. Additionally, organizations should enforce strict kernel update policies, especially on critical network infrastructure and firewall devices, and validate kernel integrity post-update. For environments where immediate patching is not feasible, isolating vulnerable systems from untrusted networks or restricting access to network management interfaces can reduce exposure. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service incidents.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26924: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem("00000000") timeout 100 ms ... add_elem("0000000X") timeout 100 ms del_elem("0000000X") <---------------- delete one that was just added ... add_elem("00005000") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)
AI-Powered Analysis
Technical Analysis
CVE-2024-26924 is a medium-severity vulnerability affecting the Linux kernel's netfilter subsystem, specifically within the nft_set_pipapo component responsible for managing sets of network filtering elements. The vulnerability arises from improper handling of element removal in sets when multiple elements share the same key, particularly under conditions involving rapid add/remove operations with timeouts. The removal process involves two steps: marking an element as inactive in the next generation and then removing it from the set. However, if there are multiple elements with the same key—where one is inactive or timed out—the removal function may incorrectly unmap the wrong element. This leads to a stale pointer scenario where a deactivated element remains reachable in the data structure, causing potential use-after-free conditions and kernel crashes when the stale element is accessed during lookups. The root cause is a missing verification that the key fully matches the element marked inactive before removal, which the patch addresses by adding this check and a bug trap to prevent removal of invisible or non-existent elements. The vulnerability is identified as CWE-476 (NULL Pointer Dereference) and has a CVSS 3.1 base score of 5.9, reflecting a network attack vector with high attack complexity, no privileges or user interaction required, and an impact limited to availability (kernel crashes). No known exploits are currently reported in the wild. The affected versions correspond to specific Linux kernel commits prior to the fix published in April 2024.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with netfilter sets configured in environments that perform rapid, back-to-back add/remove operations on network filtering elements. The impact is a denial-of-service condition due to kernel crashes, which can disrupt critical network functions, firewall operations, or other security controls relying on nftables. This can lead to temporary loss of availability of network services, impacting business continuity, especially in sectors relying heavily on Linux-based infrastructure such as telecommunications, cloud service providers, and critical infrastructure operators. While the vulnerability does not directly compromise confidentiality or integrity, the resulting instability could be exploited as part of a broader attack chain to degrade defenses or cause operational disruptions. Given the medium severity and absence of known exploits, the immediate risk is moderate but warrants timely patching to prevent potential exploitation in complex network environments.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions containing the fix for CVE-2024-26924. Specifically, they should apply the latest stable kernel releases or backported patches from their Linux distribution vendors that address the nft_set_pipapo removal logic. Network administrators should audit nftables configurations to identify sets with high-frequency add/remove operations and consider temporarily reducing such operations or implementing rate limiting until patches are applied. Monitoring kernel logs for KASAN (Kernel Address Sanitizer) splats or related crash signatures can help detect attempts to trigger this vulnerability. Additionally, organizations should enforce strict kernel update policies, especially on critical network infrastructure and firewall devices, and validate kernel integrity post-update. For environments where immediate patching is not feasible, isolating vulnerable systems from untrusted networks or restricting access to network management interfaces can reduce exposure. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service incidents.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.194Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2e52
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:12:07 PM
Last updated: 8/14/2025, 11:09:39 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.