CVE-2024-35839: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: replace physindev with physinif in nf_bridge_info An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb.
AI Analysis
Technical Summary
CVE-2024-35839 is a vulnerability identified in the Linux kernel's netfilter bridge component. The issue arises from improper handling of socket buffers (skb) in the ARP queue associated with neighbor entries (neigh->arp_queue). Specifically, when a packet is bridged between virtual Ethernet interfaces (veth), the skb's device pointer (skb->dev) can differ from the neighbor's device (neigh->dev). The vulnerability occurs because skb->dev can be reset to nf_bridge->physindev, a physical device pointer that may have been freed or become invalid without proper synchronization or cleanup. This happens due to the lack of explicit mechanisms preventing physindev from being freed while still referenced in the ARP queue. Consequently, when the kernel processes the ARP queue and attempts to access skb->dev, it may dereference a freed or invalid device pointer, leading to a kernel crash (denial of service). The patch replaces the use of physindev with physinif, relying on the interface index and using dev_get_by_index_rcu() to safely retrieve the original net_device structure or drop the skb if the device is unavailable. This change prevents use-after-free conditions and stabilizes the ARP queue processing in bridged network environments. The vulnerability affects Linux kernel versions identified by the commit hash c4e70a87d975d1f561a00abfe2d3cefa2a486c95 and is currently published without a CVSS score or known exploits in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with bridging enabled, especially those utilizing virtualized networking environments such as containers, virtual machines, or complex network topologies involving veth pairs. The impact is mainly a denial-of-service condition caused by kernel crashes, which can disrupt critical network services, leading to downtime and potential loss of availability. Organizations relying on Linux-based network appliances, cloud infrastructure, or edge devices with bridging capabilities could experience service interruptions. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability can affect business continuity, especially in sectors like telecommunications, finance, and critical infrastructure where Linux bridging is common. Additionally, the lack of known exploits suggests that the threat is currently theoretical, but the ease of triggering a kernel crash in bridged environments means attackers with network access could exploit it to cause disruption.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch replacing physindev with physinif and implementing safe device retrieval via dev_get_by_index_rcu(). Specifically, system administrators should: 1) Identify all Linux systems using bridging features, especially those with virtualized network interfaces (veth). 2) Apply the latest kernel updates from trusted Linux distributions that address CVE-2024-35839. 3) For environments where immediate patching is not feasible, consider temporarily disabling bridging or limiting bridged traffic to trusted networks to reduce exposure. 4) Monitor kernel logs for signs of crashes or ARP queue processing errors that may indicate attempted exploitation. 5) Implement network segmentation and strict access controls to minimize the risk of untrusted users triggering the vulnerability. 6) Engage with Linux distribution security advisories to track patch availability and deployment status. These steps go beyond generic advice by focusing on bridging-specific configurations and kernel update management tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-35839: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: replace physindev with physinif in nf_bridge_info An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb.
AI-Powered Analysis
Technical Analysis
CVE-2024-35839 is a vulnerability identified in the Linux kernel's netfilter bridge component. The issue arises from improper handling of socket buffers (skb) in the ARP queue associated with neighbor entries (neigh->arp_queue). Specifically, when a packet is bridged between virtual Ethernet interfaces (veth), the skb's device pointer (skb->dev) can differ from the neighbor's device (neigh->dev). The vulnerability occurs because skb->dev can be reset to nf_bridge->physindev, a physical device pointer that may have been freed or become invalid without proper synchronization or cleanup. This happens due to the lack of explicit mechanisms preventing physindev from being freed while still referenced in the ARP queue. Consequently, when the kernel processes the ARP queue and attempts to access skb->dev, it may dereference a freed or invalid device pointer, leading to a kernel crash (denial of service). The patch replaces the use of physindev with physinif, relying on the interface index and using dev_get_by_index_rcu() to safely retrieve the original net_device structure or drop the skb if the device is unavailable. This change prevents use-after-free conditions and stabilizes the ARP queue processing in bridged network environments. The vulnerability affects Linux kernel versions identified by the commit hash c4e70a87d975d1f561a00abfe2d3cefa2a486c95 and is currently published without a CVSS score or known exploits in the wild.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with bridging enabled, especially those utilizing virtualized networking environments such as containers, virtual machines, or complex network topologies involving veth pairs. The impact is mainly a denial-of-service condition caused by kernel crashes, which can disrupt critical network services, leading to downtime and potential loss of availability. Organizations relying on Linux-based network appliances, cloud infrastructure, or edge devices with bridging capabilities could experience service interruptions. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability can affect business continuity, especially in sectors like telecommunications, finance, and critical infrastructure where Linux bridging is common. Additionally, the lack of known exploits suggests that the threat is currently theoretical, but the ease of triggering a kernel crash in bridged environments means attackers with network access could exploit it to cause disruption.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch replacing physindev with physinif and implementing safe device retrieval via dev_get_by_index_rcu(). Specifically, system administrators should: 1) Identify all Linux systems using bridging features, especially those with virtualized network interfaces (veth). 2) Apply the latest kernel updates from trusted Linux distributions that address CVE-2024-35839. 3) For environments where immediate patching is not feasible, consider temporarily disabling bridging or limiting bridged traffic to trusted networks to reduce exposure. 4) Monitor kernel logs for signs of crashes or ARP queue processing errors that may indicate attempted exploitation. 5) Implement network segmentation and strict access controls to minimize the risk of untrusted users triggering the vulnerability. 6) Engage with Linux distribution security advisories to track patch availability and deployment status. These steps go beyond generic advice by focusing on bridging-specific configurations and kernel update management tailored to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.104Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe35f9
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:26:49 PM
Last updated: 8/3/2025, 12:55:46 PM
Views: 16
Related Threats
CVE-2025-43739: CWE-203 Observable Discrepancy in Liferay Portal
MediumCVE-2025-8218: CWE-269 Improper Privilege Management in imithemes Real Spaces - WordPress Properties Directory Theme
HighCVE-2025-6758: CWE-269 Improper Privilege Management in imithemes Real Spaces - WordPress Properties Directory Theme
CriticalCVE-2025-54336: n/a
CriticalCVE-2025-9140: SQL Injection in Shanghai Lingdang Information Technology Lingdang CRM
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.