CVE-2024-27012: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]
AI Analysis
Technical Summary
CVE-2024-27012 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nftables implementation. The issue arises in the handling of set elements during the deletion of a set. When a delete set operation fails, the function nft_mapelem_activate() is responsible for restoring reference counters to their original state. However, the existing set iterator logic incorrectly skips inactive elements rather than active ones during this abort path, leading to improper restoration of the internal state. This flaw can cause memory leaks and potentially kernel warnings or crashes, as evidenced by the kernel warning trace provided. The vulnerability stems from the logic that toggles the 'next generation' bit for elements when a delete set command is invoked but fails to correctly restore this bit during the abort path. The patch corrects this by moving the inactive element check to the iterator callback and reversing the logic for the activate case to skip active elements instead. This ensures proper cleanup and state restoration, preventing memory leaks and kernel instability. The vulnerability affects multiple Linux kernel versions, as indicated by the various commit hashes listed. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with nftables enabled and actively used for network filtering and firewalling. Exploitation could lead to kernel memory leaks and instability, potentially causing denial of service (DoS) conditions due to kernel warnings or crashes. This could disrupt critical network services, impacting availability and operational continuity. While there is no indication of direct privilege escalation or remote code execution, the instability could be leveraged in complex attack chains or targeted attacks against network infrastructure. Organizations relying on Linux-based firewalls, routers, or servers with nftables for traffic filtering are particularly at risk. The impact is more significant in environments where uptime and network reliability are critical, such as financial institutions, telecommunications, and critical infrastructure sectors prevalent in Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should promptly apply the official Linux kernel patches that address CVE-2024-27012 once available from their Linux distribution vendors. Until patches are applied, organizations should consider the following specific actions: 1) Audit and monitor nftables usage to identify if vulnerable kernel versions are in use and if nftables sets are actively manipulated. 2) Limit administrative access to systems managing nftables configurations to reduce the risk of triggering the vulnerability. 3) Implement kernel crash and memory leak monitoring to detect early signs of exploitation or instability. 4) Where feasible, temporarily disable or reduce reliance on nftables sets deletion operations in critical systems until patched. 5) Coordinate with Linux distribution vendors for backported fixes and security advisories. 6) Test patches in staging environments to ensure stability before production deployment. These steps go beyond generic advice by focusing on nftables-specific operational controls and monitoring.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-27012: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]
AI-Powered Analysis
Technical Analysis
CVE-2024-27012 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nftables implementation. The issue arises in the handling of set elements during the deletion of a set. When a delete set operation fails, the function nft_mapelem_activate() is responsible for restoring reference counters to their original state. However, the existing set iterator logic incorrectly skips inactive elements rather than active ones during this abort path, leading to improper restoration of the internal state. This flaw can cause memory leaks and potentially kernel warnings or crashes, as evidenced by the kernel warning trace provided. The vulnerability stems from the logic that toggles the 'next generation' bit for elements when a delete set command is invoked but fails to correctly restore this bit during the abort path. The patch corrects this by moving the inactive element check to the iterator callback and reversing the logic for the activate case to skip active elements instead. This ensures proper cleanup and state restoration, preventing memory leaks and kernel instability. The vulnerability affects multiple Linux kernel versions, as indicated by the various commit hashes listed. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with nftables enabled and actively used for network filtering and firewalling. Exploitation could lead to kernel memory leaks and instability, potentially causing denial of service (DoS) conditions due to kernel warnings or crashes. This could disrupt critical network services, impacting availability and operational continuity. While there is no indication of direct privilege escalation or remote code execution, the instability could be leveraged in complex attack chains or targeted attacks against network infrastructure. Organizations relying on Linux-based firewalls, routers, or servers with nftables for traffic filtering are particularly at risk. The impact is more significant in environments where uptime and network reliability are critical, such as financial institutions, telecommunications, and critical infrastructure sectors prevalent in Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should promptly apply the official Linux kernel patches that address CVE-2024-27012 once available from their Linux distribution vendors. Until patches are applied, organizations should consider the following specific actions: 1) Audit and monitor nftables usage to identify if vulnerable kernel versions are in use and if nftables sets are actively manipulated. 2) Limit administrative access to systems managing nftables configurations to reduce the risk of triggering the vulnerability. 3) Implement kernel crash and memory leak monitoring to detect early signs of exploitation or instability. 4) Where feasible, temporarily disable or reduce reliance on nftables sets deletion operations in critical systems until patched. 5) Coordinate with Linux distribution vendors for backported fixes and security advisories. 6) Test patches in staging environments to ensure stability before production deployment. These steps go beyond generic advice by focusing on nftables-specific operational controls and monitoring.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.208Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddb9f
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:55:48 AM
Last updated: 8/16/2025, 8:51:41 PM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.