CVE-2024-42321: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE The following splat is easy to reproduce upstream as well as in -stable kernels. Florian Westphal provided the following commit: d1dab4f71d37 ("net: add and use __skb_get_hash_symmetric_net") but this complementary fix has been also suggested by Willem de Bruijn and it can be easily backported to -stable kernel which consists in using DEBUG_NET_WARN_ON_ONCE instead to silence the following splat given __skb_get_hash() is used by the nftables tracing infrastructure to to identify packets in traces. [69133.561393] ------------[ cut here ]------------ [69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/ [...] [69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379 [69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0 [69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff ff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8 [69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246 [69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19 [69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418 [69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000 [69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400 [69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28 [69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0 [69133.562040] Call Trace: [69133.562044] <IRQ> [69133.562049] ? __warn+0x9f/0x1a0 [ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860 [...] [ 1211.841496] ? bpf_flow_dissect+0x160/0x160 [ 1211.841753] __skb_get_hash+0x97/0x280 [ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230 [ 1211.841776] ? mod_find+0xbf/0xe0 [ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0 [ 1211.841798] ? bpf_ksym_find+0x56/0xe0 [ 1211.841807] ? __rcu_read_unlock+0x2a/0x70 [ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables] [ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables] [ 1211.841964] ? get_stack_info+0x2b/0x80 [ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables] [ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]
AI Analysis
Technical Summary
CVE-2024-42321 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the flow dissector component used for packet processing and classification. The issue arises in the __skb_flow_dissect function, which is responsible for dissecting network packets to extract flow information. The vulnerability manifests as a kernel warning (splat) triggered by improper handling of packet hash calculations in the __skb_get_hash() function, which is utilized by the nftables tracing infrastructure to identify packets during tracing operations. The root cause relates to the use of debugging macros that cause a warning to be emitted repeatedly, potentially leading to kernel instability or denial of service due to excessive logging or CPU resource consumption. The fix involves replacing the existing warning macro with DEBUG_NET_WARN_ON_ONCE, which limits the warning to a single occurrence, thereby preventing repeated splats. This fix can be backported to stable kernel versions, indicating the vulnerability affects a broad range of Linux kernel versions, including stable releases. The vulnerability does not appear to be directly exploitable for privilege escalation or remote code execution but can cause system instability or denial of service conditions when nftables tracing is active. The detailed kernel stack trace and commit references indicate that the issue is reproducible and has been addressed upstream. No known exploits in the wild have been reported as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-42321 primarily concerns systems running Linux kernels that include nftables tracing functionality, which is common in modern Linux distributions used in enterprise environments, cloud infrastructure, and network appliances. The vulnerability could lead to kernel warnings that degrade system stability or cause denial of service, especially in environments that rely heavily on packet tracing and network flow analysis for security monitoring or traffic management. This may affect critical infrastructure components such as firewalls, routers, and servers that use nftables for packet filtering and tracing. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact could disrupt network services or monitoring capabilities, potentially delaying incident response or network troubleshooting. Organizations with high network traffic and complex packet filtering rules are more likely to encounter this issue. The absence of known exploits reduces immediate risk, but the vulnerability's presence in stable kernels means that unpatched systems remain susceptible to operational disruptions.
Mitigation Recommendations
To mitigate CVE-2024-42321, European organizations should prioritize applying the patch that replaces the warning macro with DEBUG_NET_WARN_ON_ONCE in the Linux kernel flow dissector code. This patch is available upstream and can be backported to stable kernel versions. Organizations should: 1) Identify all Linux systems running kernel versions affected by this vulnerability, focusing on those using nftables tracing features. 2) Apply vendor-provided kernel updates or patches that include the fix for this issue as soon as they become available. 3) If immediate patching is not possible, consider disabling nftables tracing temporarily to avoid triggering the kernel warning, understanding that this may reduce network monitoring visibility. 4) Monitor kernel logs for repeated warnings related to __skb_flow_dissect to detect potential exploitation or system instability. 5) Engage with Linux distribution vendors for timely updates and verify that their kernel packages include the fix. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid remediation and detection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-42321: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE The following splat is easy to reproduce upstream as well as in -stable kernels. Florian Westphal provided the following commit: d1dab4f71d37 ("net: add and use __skb_get_hash_symmetric_net") but this complementary fix has been also suggested by Willem de Bruijn and it can be easily backported to -stable kernel which consists in using DEBUG_NET_WARN_ON_ONCE instead to silence the following splat given __skb_get_hash() is used by the nftables tracing infrastructure to to identify packets in traces. [69133.561393] ------------[ cut here ]------------ [69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/ [...] [69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379 [69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0 [69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff ff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8 [69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246 [69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19 [69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418 [69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000 [69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400 [69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28 [69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0 [69133.562040] Call Trace: [69133.562044] <IRQ> [69133.562049] ? __warn+0x9f/0x1a0 [ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860 [...] [ 1211.841496] ? bpf_flow_dissect+0x160/0x160 [ 1211.841753] __skb_get_hash+0x97/0x280 [ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230 [ 1211.841776] ? mod_find+0xbf/0xe0 [ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0 [ 1211.841798] ? bpf_ksym_find+0x56/0xe0 [ 1211.841807] ? __rcu_read_unlock+0x2a/0x70 [ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables] [ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables] [ 1211.841964] ? get_stack_info+0x2b/0x80 [ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables] [ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]
AI-Powered Analysis
Technical Analysis
CVE-2024-42321 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the flow dissector component used for packet processing and classification. The issue arises in the __skb_flow_dissect function, which is responsible for dissecting network packets to extract flow information. The vulnerability manifests as a kernel warning (splat) triggered by improper handling of packet hash calculations in the __skb_get_hash() function, which is utilized by the nftables tracing infrastructure to identify packets during tracing operations. The root cause relates to the use of debugging macros that cause a warning to be emitted repeatedly, potentially leading to kernel instability or denial of service due to excessive logging or CPU resource consumption. The fix involves replacing the existing warning macro with DEBUG_NET_WARN_ON_ONCE, which limits the warning to a single occurrence, thereby preventing repeated splats. This fix can be backported to stable kernel versions, indicating the vulnerability affects a broad range of Linux kernel versions, including stable releases. The vulnerability does not appear to be directly exploitable for privilege escalation or remote code execution but can cause system instability or denial of service conditions when nftables tracing is active. The detailed kernel stack trace and commit references indicate that the issue is reproducible and has been addressed upstream. No known exploits in the wild have been reported as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-42321 primarily concerns systems running Linux kernels that include nftables tracing functionality, which is common in modern Linux distributions used in enterprise environments, cloud infrastructure, and network appliances. The vulnerability could lead to kernel warnings that degrade system stability or cause denial of service, especially in environments that rely heavily on packet tracing and network flow analysis for security monitoring or traffic management. This may affect critical infrastructure components such as firewalls, routers, and servers that use nftables for packet filtering and tracing. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact could disrupt network services or monitoring capabilities, potentially delaying incident response or network troubleshooting. Organizations with high network traffic and complex packet filtering rules are more likely to encounter this issue. The absence of known exploits reduces immediate risk, but the vulnerability's presence in stable kernels means that unpatched systems remain susceptible to operational disruptions.
Mitigation Recommendations
To mitigate CVE-2024-42321, European organizations should prioritize applying the patch that replaces the warning macro with DEBUG_NET_WARN_ON_ONCE in the Linux kernel flow dissector code. This patch is available upstream and can be backported to stable kernel versions. Organizations should: 1) Identify all Linux systems running kernel versions affected by this vulnerability, focusing on those using nftables tracing features. 2) Apply vendor-provided kernel updates or patches that include the fix for this issue as soon as they become available. 3) If immediate patching is not possible, consider disabling nftables tracing temporarily to avoid triggering the kernel warning, understanding that this may reduce network monitoring visibility. 4) Monitor kernel logs for repeated warnings related to __skb_flow_dissect to detect potential exploitation or system instability. 5) Engage with Linux distribution vendors for timely updates and verify that their kernel packages include the fix. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid remediation and detection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-30T07:40:12.279Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe1f22
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:11:20 AM
Last updated: 8/10/2025, 6:50:26 AM
Views: 12
Related Threats
CVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.