Linux Kernel Netfilter nf_tables Use-After-Free Vulnerability via NF_STOLEN Verdict

Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within nf_tables. When a packet's verdict is set to NF_STOLEN, the associated socket buffer (skb) may have already been freed. If tracing is enabled, this can lead to unauthorized access to freed memory, allowing access to skb tracing information, packet marks, and the computation and dumping of trace IDs and packet payloads. The vulnerability arises from improper handling of the NF_STOLEN verdict, which can be exploited to access freed resources that should no longer be available.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for access to freed memory that could be manipulated or misused, potentially causing memory corruption or arbitrary code execution.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Netfilter nf_tables Use-After-Free Vulnerability via NF_STOLEN Verdict

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating