CVE-2024-54031: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64.
AI Analysis
Technical Summary
CVE-2024-54031 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nft_set_hash function that handles nft_set_ext structures. The root cause is an unaligned atomic read operation on the genmask field of the struct nft_set_ext. This unaligned access leads to a kernel paging fault and results in a kernel oops (crash), as evidenced by the detailed kernel logs showing an alignment fault (ESR=0x0000000096000021) and a data abort due to unaligned memory access. The vulnerability arises because the nft_set_ext structure is not properly aligned to the processor's word size, causing atomic operations to fail on certain architectures, particularly those with strict alignment requirements such as ARM64. The fix involves aligning the nft_set_ext structure to the word size, which increases the size of related elements by 8 bytes on x86_64 systems, ensuring safe atomic operations. This vulnerability can cause denial of service (DoS) by crashing the kernel when the vulnerable code path is exercised. The issue is present in multiple Linux kernel versions identified by their commit hashes, and it affects the nf_tables component responsible for packet filtering and firewall functionality. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability does not require user interaction but does require kernel-level code execution or triggering of netfilter rules that use the affected nft_set_ext structure. The impact is primarily on system stability and availability due to kernel crashes.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to the availability and stability of Linux-based systems that utilize the netfilter nf_tables framework for firewalling and packet filtering. Many European enterprises, government agencies, and critical infrastructure providers rely heavily on Linux servers and network appliances running netfilter for security and traffic management. A successful exploitation or accidental triggering of this vulnerability could lead to kernel panics and system reboots, causing service interruptions, potential data loss, and operational downtime. This is especially critical for environments requiring high availability such as financial institutions, telecommunications, healthcare providers, and public sector networks. Although there is no indication of privilege escalation or confidentiality breach, the denial of service impact could be leveraged in targeted attacks to disrupt services or as part of a larger attack chain. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means that patching is urgent to prevent future exploitation. Additionally, virtualized environments and cloud providers in Europe using affected Linux kernels could experience instability affecting multiple tenants.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that aligns the nft_set_ext structure properly, thereby preventing unaligned atomic reads. Since this vulnerability affects the kernel's netfilter subsystem, kernel upgrades should be tested and deployed promptly across all affected systems, including servers, network appliances, and virtual machines. Organizations should audit their firewall and packet filtering configurations to identify usage of nftables and nft_set_ext structures and monitor kernel logs for signs of alignment faults or crashes related to nft_rhash_gc workqueue activity. For environments where immediate patching is not feasible, temporary mitigation could include disabling or limiting nftables rules that trigger the vulnerable code paths, although this may reduce firewall functionality. Implementing kernel crash monitoring and automated recovery mechanisms can reduce downtime impact. Additionally, organizations should ensure that their incident response teams are aware of this vulnerability and have procedures to quickly apply patches and respond to kernel crashes. Coordination with Linux distribution vendors for timely security updates is essential, as is verifying that all cloud and virtualization platforms are running patched kernels.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-54031: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64.
AI-Powered Analysis
Technical Analysis
CVE-2024-54031 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nft_set_hash function that handles nft_set_ext structures. The root cause is an unaligned atomic read operation on the genmask field of the struct nft_set_ext. This unaligned access leads to a kernel paging fault and results in a kernel oops (crash), as evidenced by the detailed kernel logs showing an alignment fault (ESR=0x0000000096000021) and a data abort due to unaligned memory access. The vulnerability arises because the nft_set_ext structure is not properly aligned to the processor's word size, causing atomic operations to fail on certain architectures, particularly those with strict alignment requirements such as ARM64. The fix involves aligning the nft_set_ext structure to the word size, which increases the size of related elements by 8 bytes on x86_64 systems, ensuring safe atomic operations. This vulnerability can cause denial of service (DoS) by crashing the kernel when the vulnerable code path is exercised. The issue is present in multiple Linux kernel versions identified by their commit hashes, and it affects the nf_tables component responsible for packet filtering and firewall functionality. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability does not require user interaction but does require kernel-level code execution or triggering of netfilter rules that use the affected nft_set_ext structure. The impact is primarily on system stability and availability due to kernel crashes.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to the availability and stability of Linux-based systems that utilize the netfilter nf_tables framework for firewalling and packet filtering. Many European enterprises, government agencies, and critical infrastructure providers rely heavily on Linux servers and network appliances running netfilter for security and traffic management. A successful exploitation or accidental triggering of this vulnerability could lead to kernel panics and system reboots, causing service interruptions, potential data loss, and operational downtime. This is especially critical for environments requiring high availability such as financial institutions, telecommunications, healthcare providers, and public sector networks. Although there is no indication of privilege escalation or confidentiality breach, the denial of service impact could be leveraged in targeted attacks to disrupt services or as part of a larger attack chain. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means that patching is urgent to prevent future exploitation. Additionally, virtualized environments and cloud providers in Europe using affected Linux kernels could experience instability affecting multiple tenants.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that aligns the nft_set_ext structure properly, thereby preventing unaligned atomic reads. Since this vulnerability affects the kernel's netfilter subsystem, kernel upgrades should be tested and deployed promptly across all affected systems, including servers, network appliances, and virtual machines. Organizations should audit their firewall and packet filtering configurations to identify usage of nftables and nft_set_ext structures and monitor kernel logs for signs of alignment faults or crashes related to nft_rhash_gc workqueue activity. For environments where immediate patching is not feasible, temporary mitigation could include disabling or limiting nftables rules that trigger the vulnerable code paths, although this may reduce firewall functionality. Implementing kernel crash monitoring and automated recovery mechanisms can reduce downtime impact. Additionally, organizations should ensure that their incident response teams are aware of this vulnerability and have procedures to quickly apply patches and respond to kernel crashes. Coordination with Linux distribution vendors for timely security updates is essential, as is verifying that all cloud and virtualization platforms are running patched kernels.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-15T13:08:59.769Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdf0d7
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 11:11:51 AM
Last updated: 8/5/2025, 6:25:20 AM
Views: 10
Related Threats
CVE-2025-6184: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in themeum Tutor LMS Pro
HighCVE-2025-8762: Improper Physical Access Control in INSTAR 2K+
HighCVE-2025-8761: Denial of Service in INSTAR 2K+
HighCVE-2025-8760: Buffer Overflow in INSTAR 2K+
CriticalCVE-2025-6715: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in LatePoint
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.