Linux Kernel Netfilter Per-CPU Counter Leak Vulnerability in X-Tables

A vulnerability exists in the Linux kernel's netfilter component, specifically within the x-tables framework, where a per-CPU counter block can be unintentionally leaked. This issue arises on the error path when registering new network namespaces, particularly with IPv6 tables. The vulnerability occurs because the counter block is allocated but not properly freed if an error is encountered during the registration process. Although the likelihood of this error path being triggered is low, it is important to address even rare memory leaks.

Impact

The vulnerability leads to a memory leak of per-CPU counter blocks, which can accumulate over time and potentially cause memory exhaustion.

Reproduction

To reproduce this vulnerability, register a new netns (network namespace) while the system is under memory pressure. This can be done by creating a new network namespace and then registering an IPv6 table. If the registration fails due to memory allocation issues, the allocated per-CPU counter block will not be freed, leading to a memory leak.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.