CVE-2024-36005: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: honor table dormant flag from netdev release event path Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook. [524854.857999] ------------[ cut here ]------------ [524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260 [...] [524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365 [524854.858869] Workqueue: netns cleanup_net [524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260 [524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41 [524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246 [524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a [524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438 [524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34 [524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005 [524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00 [524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0 [524854.859000] Call Trace: [524854.859006] <TASK> [524854.859013] ? __warn+0x9f/0x1a0 [524854.859027] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859044] ? report_bug+0x1b1/0x1e0 [524854.859060] ? handle_bug+0x3c/0x70 [524854.859071] ? exc_invalid_op+0x17/0x40 [524854.859083] ? asm_exc_invalid_op+0x1a/0x20 [524854.859100] ? __nf_unregister_net_hook+0x6a/0x260 [524854.859116] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables] [524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859461] ? packet_notifier+0xb3/0x360 [524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40 [524854.859489] ? dcbnl_netdevice_event+0x35/0x140 [524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859661] notifier_call_chain+0x7d/0x140 [524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0
AI Analysis
Technical Summary
CVE-2024-36005 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_tables component. The issue arises from improper handling of the 'table dormant' flag during the netdev release event path. When a network device is released, the kernel attempts to unregister associated netfilter hooks. However, due to the lack of a proper check for the dormant flag on the table, the netdev release event path may attempt to unregister a hook that has already been unregistered. This results in a kernel warning and potentially a kernel panic or crash, as indicated by the kernel oops trace provided. The vulnerability is rooted in the __nf_unregister_net_hook function, which does not verify the dormant state of the table before proceeding with unregistration, leading to a use-after-free or double-unregistration scenario. This flaw can cause system instability or denial of service (DoS) conditions. The vulnerability affects Linux kernel versions around 6.9.0-rc3+, as per the provided logs, and is relevant to systems using nf_tables for packet filtering and firewalling. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The patch or fix involves adding a check to honor the table dormant flag to prevent attempts to unregister already unregistered hooks, thereby stabilizing the netdev release event handling in nf_tables.
Potential Impact
For European organizations, the impact of CVE-2024-36005 primarily concerns system stability and availability. Systems running Linux kernels with nf_tables enabled—commonly used for firewalling and network packet filtering—may experience kernel crashes or reboots if the vulnerability is triggered. This can lead to denial of service on critical infrastructure such as servers, network appliances, and embedded devices. Organizations relying on Linux-based firewalls, routers, or network security appliances are particularly at risk. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting DoS can disrupt business operations, especially in sectors requiring high availability like finance, telecommunications, healthcare, and government services. Additionally, repeated crashes could complicate incident response and recovery efforts. Given the widespread use of Linux in European data centers and cloud environments, unpatched systems could face operational interruptions. However, exploitation requires triggering the netdev release event path, which may require specific conditions or administrative privileges, somewhat limiting the attack surface to local or privileged users.
Mitigation Recommendations
To mitigate CVE-2024-36005, European organizations should: 1) Apply the latest Linux kernel updates that include the fix honoring the table dormant flag in nf_tables. Monitor vendor advisories for patches relevant to their kernel versions. 2) For environments where immediate patching is not feasible, consider disabling nf_tables or using alternative firewall frameworks temporarily, if operationally acceptable. 3) Implement strict access controls and monitoring on systems with nf_tables enabled to detect unusual network device events or kernel warnings indicative of attempted exploitation. 4) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production. 5) Maintain robust backup and recovery procedures to minimize downtime in case of kernel crashes. 6) Engage with Linux distribution vendors or security mailing lists to stay informed about any emerging exploits or additional mitigations. 7) For critical infrastructure, consider network segmentation to limit exposure of vulnerable systems and reduce the risk of cascading failures.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-36005: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: honor table dormant flag from netdev release event path Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook. [524854.857999] ------------[ cut here ]------------ [524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260 [...] [524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365 [524854.858869] Workqueue: netns cleanup_net [524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260 [524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41 [524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246 [524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a [524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438 [524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34 [524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005 [524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00 [524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0 [524854.859000] Call Trace: [524854.859006] <TASK> [524854.859013] ? __warn+0x9f/0x1a0 [524854.859027] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859044] ? report_bug+0x1b1/0x1e0 [524854.859060] ? handle_bug+0x3c/0x70 [524854.859071] ? exc_invalid_op+0x17/0x40 [524854.859083] ? asm_exc_invalid_op+0x1a/0x20 [524854.859100] ? __nf_unregister_net_hook+0x6a/0x260 [524854.859116] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables] [524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859461] ? packet_notifier+0xb3/0x360 [524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40 [524854.859489] ? dcbnl_netdevice_event+0x35/0x140 [524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859661] notifier_call_chain+0x7d/0x140 [524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0
AI-Powered Analysis
Technical Analysis
CVE-2024-36005 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_tables component. The issue arises from improper handling of the 'table dormant' flag during the netdev release event path. When a network device is released, the kernel attempts to unregister associated netfilter hooks. However, due to the lack of a proper check for the dormant flag on the table, the netdev release event path may attempt to unregister a hook that has already been unregistered. This results in a kernel warning and potentially a kernel panic or crash, as indicated by the kernel oops trace provided. The vulnerability is rooted in the __nf_unregister_net_hook function, which does not verify the dormant state of the table before proceeding with unregistration, leading to a use-after-free or double-unregistration scenario. This flaw can cause system instability or denial of service (DoS) conditions. The vulnerability affects Linux kernel versions around 6.9.0-rc3+, as per the provided logs, and is relevant to systems using nf_tables for packet filtering and firewalling. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The patch or fix involves adding a check to honor the table dormant flag to prevent attempts to unregister already unregistered hooks, thereby stabilizing the netdev release event handling in nf_tables.
Potential Impact
For European organizations, the impact of CVE-2024-36005 primarily concerns system stability and availability. Systems running Linux kernels with nf_tables enabled—commonly used for firewalling and network packet filtering—may experience kernel crashes or reboots if the vulnerability is triggered. This can lead to denial of service on critical infrastructure such as servers, network appliances, and embedded devices. Organizations relying on Linux-based firewalls, routers, or network security appliances are particularly at risk. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting DoS can disrupt business operations, especially in sectors requiring high availability like finance, telecommunications, healthcare, and government services. Additionally, repeated crashes could complicate incident response and recovery efforts. Given the widespread use of Linux in European data centers and cloud environments, unpatched systems could face operational interruptions. However, exploitation requires triggering the netdev release event path, which may require specific conditions or administrative privileges, somewhat limiting the attack surface to local or privileged users.
Mitigation Recommendations
To mitigate CVE-2024-36005, European organizations should: 1) Apply the latest Linux kernel updates that include the fix honoring the table dormant flag in nf_tables. Monitor vendor advisories for patches relevant to their kernel versions. 2) For environments where immediate patching is not feasible, consider disabling nf_tables or using alternative firewall frameworks temporarily, if operationally acceptable. 3) Implement strict access controls and monitoring on systems with nf_tables enabled to detect unusual network device events or kernel warnings indicative of attempted exploitation. 4) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production. 5) Maintain robust backup and recovery procedures to minimize downtime in case of kernel crashes. 6) Engage with Linux distribution vendors or security mailing lists to stay informed about any emerging exploits or additional mitigations. 7) For critical infrastructure, consider network segmentation to limit exposure of vulnerable systems and reduce the risk of cascading failures.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.150Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe243f
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:12:13 AM
Last updated: 8/11/2025, 12:16:58 AM
Views: 10
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.