Linux Kernel Netfilter nf_tables Chain ID Table Reference Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. This issue arises when chain lookups by ID inadvertently reference chains from different tables. When a rule in one table points to a chain in another, it creates a disconnect: the rule remains linked to the second table's chain even if the first table is deleted. This misalignment can lead to a use-after-free condition when the rule's expressions are processed or removed. The vulnerability has been addressed by ensuring that chain lookups by ID only return chains from the same table, preventing the cross-table references that could be exploited.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to cause a denial of service or potentially execute arbitrary code.

Reproduction

To reproduce this vulnerability, create a rule in one nf_tables table that references a chain in a different table using the NFTA_RULE_CHAIN_ID attribute. Once the rule is established, remove the first table. The rule will remain linked to the second table's chain, but the expressions will refer to objects in the first table, leading to a use-after-free condition when the expressions are processed or removed.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been fixed.