Linux Kernel Netfilter Connection Tracking Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter connection tracking system. When the connection tracking initialization fails, the cleanup process frees the nf_ct_helper_hash map. However, netfilter modules can still be loaded and may access this freed memory, leading to potential memory corruption. This vulnerability is present in the Linux kernel when built with connection tracking support.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing random memory corruption.

Reproduction

To reproduce this vulnerability, load a netfilter connection tracking module, such as netfilter_conntrack_ftp, after a failed initialization of the connection tracking system. This can be done by simulating a failure during the initialization process, which will leave the nf_ct_helper_hash pointer dangling. When the connection tracking module is loaded, it will access the invalid pointer, creating a use-after-free condition.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for updating the kernel can be found in the official Linux kernel documentation.