Linux Kernel Netfilter Bridge Component Conntrack Confirmation Vulnerability

A vulnerability exists in the Linux kernel's netfilter bridge component, specifically within the br_netfilter local input handling function. This issue arises when a broadcast packet is sent to a tap device added to a bridge, prompting a conntrack confirmation. If another conntrack with the same hash is introduced—potentially by a regular packet to a non-bridge device—a warning may be triggered. The problem stems from br_nf_local_in() improperly managing conntrack entries, particularly after confirmation, which can lead to hash conflicts and associated warnings.

Impact

Exploitation of this vulnerability causes misleading warnings about conntrack handling, which could obscure the detection of genuine issues or lead to incorrect assumptions about network traffic management.

Reproduction

To reproduce this vulnerability, send a broadcast packet to a tap device that is part of a bridge. Ensure that another conntrack entry with the same hash value is added to the hash table, which can be done by sending a normal packet to a non-bridge device. This will trigger the br_nf_local_in() function to confirm the conntrack, potentially leading to the warning about the conntrack confirmation issue.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.