CVE-2024-27018: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: skip conntrack input hook for promisc packets For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets. Jianbo Liu reports warning splats in their test infrastructure where cloned packets reach the br_netfilter input hook to confirm the conntrack object. Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has reached the input hook because it is passed up to the bridge device to reach the taps. [ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core [ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19 [ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1 [ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202 [ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000 [ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000 [ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003 [ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000 [ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800 [ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000 [ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0 [ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 57.585440] Call Trace: [ 57.585721] <IRQ> [ 57.585976] ? __warn+0x7d/0x130 [ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.586811] ? report_bug+0xf1/0x1c0 [ 57.587177] ? handle_bug+0x3f/0x70 [ 57.587539] ? exc_invalid_op+0x13/0x60 [ 57.587929] ? asm_exc_invalid_op+0x16/0x20 [ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.588825] nf_hook_slow+0x3d/0xd0 [ 57.589188] ? br_handle_vlan+0x4b/0x110 [ 57.589579] br_pass_frame_up+0xfc/0x150 [ 57.589970] ? br_port_flags_change+0x40/0x40 [ 57.590396] br_handle_frame_finish+0x346/0x5e0 [ 57.590837] ? ipt_do_table+0x32e/0x430 [ 57.591221] ? br_handle_local_finish+0x20/0x20 [ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter] [ 57.592286] ? br_handle_local_finish+0x20/0x20 [ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter] [ 57.593348] ? br_handle_local_finish+0x20/0x20 [ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat] [ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter] [ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter] [ 57.595280] br_handle_frame+0x1f3/0x3d0 [ 57.595676] ? br_handle_local_finish+0x20/0x20 [ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0 [ 57.596566] __netif_receive_skb_core+0x25b/0xfc0 [ 57.597017] ? __napi_build_skb+0x37/0x40 [ 57.597418] __netif_receive_skb_list_core+0xfb/0x220
AI Analysis
Technical Summary
CVE-2024-27018 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the br_netfilter module that handles network packet filtering for bridge devices. The issue arises when a bridge device operates in promiscuous mode, a setting where the device captures all packets on the network segment, not just those addressed to it. Historically, packets directed to tap devices (virtual network interfaces) follow the bridge input hook path. However, this behavior caused cloned packets to reach the br_netfilter input hook without proper connection tracking (conntrack) handling, leading to warning splats (kernel warnings) and potential instability. The vulnerability is due to the br_netfilter module not skipping the conntrack input hook for promiscuous packets, which can cause improper processing and kernel warnings. The patch for this vulnerability introduces a workaround that resets the conntrack state for these packets and modifies the BR_INPUT_SKB_CB bit annotation to indicate that a packet has reached the input hook because it is passed up to the bridge device to reach taps. The kernel warning logs included in the description show a stack trace triggered by this issue, indicating a kernel warning at br_nf_local_in function in br_netfilter_hooks.c. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, impacting kernel network packet processing, which is critical for systems relying on Linux bridging and network filtering features.
Potential Impact
For European organizations, the impact of CVE-2024-27018 primarily concerns systems that utilize Linux bridge devices in promiscuous mode, such as virtualized environments, cloud infrastructure, and network appliances. Organizations running Linux-based virtual machines, containers, or network functions that rely on br_netfilter for packet filtering and connection tracking could experience kernel instability or denial of service due to kernel warnings and potential crashes. This could disrupt network traffic handling, affecting availability and reliability of critical services. Confidentiality and integrity impacts are less direct but could arise if attackers exploit the instability to bypass network filtering or cause unexpected behavior in network packet processing. Since the vulnerability involves kernel-level network processing, it could affect data centers, telecom providers, and enterprises with complex network topologies. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely used Linux kernels means that unpatched systems remain at risk of future exploitation or operational issues. European organizations with significant Linux infrastructure, especially those using bridging and virtual networking extensively, should prioritize patching to maintain network stability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-27018 as soon as they become available from trusted sources or Linux distribution vendors. 2. Review and audit network configurations to identify bridge devices operating in promiscuous mode and assess whether promiscuous mode is necessary; disable it if not required. 3. Monitor kernel logs for warning splats or messages related to br_netfilter and conntrack to detect potential exploitation or instability early. 4. Implement network segmentation and isolation to limit exposure of critical systems using bridging features. 5. For virtualized environments, ensure hypervisor and guest OS kernels are updated and consistent with security patches. 6. Use kernel live patching solutions where possible to minimize downtime during patch deployment. 7. Engage in proactive vulnerability management and testing to detect similar kernel-level issues before production deployment. 8. Collaborate with Linux distribution maintainers and security teams to stay informed about updates and best practices related to br_netfilter and netfilter subsystems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-27018: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: skip conntrack input hook for promisc packets For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets. Jianbo Liu reports warning splats in their test infrastructure where cloned packets reach the br_netfilter input hook to confirm the conntrack object. Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has reached the input hook because it is passed up to the bridge device to reach the taps. [ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core [ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19 [ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1 [ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202 [ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000 [ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000 [ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003 [ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000 [ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800 [ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000 [ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0 [ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 57.585440] Call Trace: [ 57.585721] <IRQ> [ 57.585976] ? __warn+0x7d/0x130 [ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.586811] ? report_bug+0xf1/0x1c0 [ 57.587177] ? handle_bug+0x3f/0x70 [ 57.587539] ? exc_invalid_op+0x13/0x60 [ 57.587929] ? asm_exc_invalid_op+0x16/0x20 [ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.588825] nf_hook_slow+0x3d/0xd0 [ 57.589188] ? br_handle_vlan+0x4b/0x110 [ 57.589579] br_pass_frame_up+0xfc/0x150 [ 57.589970] ? br_port_flags_change+0x40/0x40 [ 57.590396] br_handle_frame_finish+0x346/0x5e0 [ 57.590837] ? ipt_do_table+0x32e/0x430 [ 57.591221] ? br_handle_local_finish+0x20/0x20 [ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter] [ 57.592286] ? br_handle_local_finish+0x20/0x20 [ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter] [ 57.593348] ? br_handle_local_finish+0x20/0x20 [ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat] [ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter] [ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter] [ 57.595280] br_handle_frame+0x1f3/0x3d0 [ 57.595676] ? br_handle_local_finish+0x20/0x20 [ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0 [ 57.596566] __netif_receive_skb_core+0x25b/0xfc0 [ 57.597017] ? __napi_build_skb+0x37/0x40 [ 57.597418] __netif_receive_skb_list_core+0xfb/0x220
AI-Powered Analysis
Technical Analysis
CVE-2024-27018 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the br_netfilter module that handles network packet filtering for bridge devices. The issue arises when a bridge device operates in promiscuous mode, a setting where the device captures all packets on the network segment, not just those addressed to it. Historically, packets directed to tap devices (virtual network interfaces) follow the bridge input hook path. However, this behavior caused cloned packets to reach the br_netfilter input hook without proper connection tracking (conntrack) handling, leading to warning splats (kernel warnings) and potential instability. The vulnerability is due to the br_netfilter module not skipping the conntrack input hook for promiscuous packets, which can cause improper processing and kernel warnings. The patch for this vulnerability introduces a workaround that resets the conntrack state for these packets and modifies the BR_INPUT_SKB_CB bit annotation to indicate that a packet has reached the input hook because it is passed up to the bridge device to reach taps. The kernel warning logs included in the description show a stack trace triggered by this issue, indicating a kernel warning at br_nf_local_in function in br_netfilter_hooks.c. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, impacting kernel network packet processing, which is critical for systems relying on Linux bridging and network filtering features.
Potential Impact
For European organizations, the impact of CVE-2024-27018 primarily concerns systems that utilize Linux bridge devices in promiscuous mode, such as virtualized environments, cloud infrastructure, and network appliances. Organizations running Linux-based virtual machines, containers, or network functions that rely on br_netfilter for packet filtering and connection tracking could experience kernel instability or denial of service due to kernel warnings and potential crashes. This could disrupt network traffic handling, affecting availability and reliability of critical services. Confidentiality and integrity impacts are less direct but could arise if attackers exploit the instability to bypass network filtering or cause unexpected behavior in network packet processing. Since the vulnerability involves kernel-level network processing, it could affect data centers, telecom providers, and enterprises with complex network topologies. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely used Linux kernels means that unpatched systems remain at risk of future exploitation or operational issues. European organizations with significant Linux infrastructure, especially those using bridging and virtual networking extensively, should prioritize patching to maintain network stability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-27018 as soon as they become available from trusted sources or Linux distribution vendors. 2. Review and audit network configurations to identify bridge devices operating in promiscuous mode and assess whether promiscuous mode is necessary; disable it if not required. 3. Monitor kernel logs for warning splats or messages related to br_netfilter and conntrack to detect potential exploitation or instability early. 4. Implement network segmentation and isolation to limit exposure of critical systems using bridging features. 5. For virtualized environments, ensure hypervisor and guest OS kernels are updated and consistent with security patches. 6. Use kernel live patching solutions where possible to minimize downtime during patch deployment. 7. Engage in proactive vulnerability management and testing to detect similar kernel-level issues before production deployment. 8. Collaborate with Linux distribution maintainers and security teams to stay informed about updates and best practices related to br_netfilter and netfilter subsystems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.209Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddbbc
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:56:09 AM
Last updated: 8/15/2025, 7:45:28 AM
Views: 16
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.