Linux Kernel Netfilter nf_tables Inverted genmask Check Vulnerability Leading to Privilege Escalation

A vulnerability in the Linux kernel's netfilter component, specifically within the nf_tables subsystem, has been identified. The issue arises from an inverted element activity check in the nft_map_catchall_activate() function, compared to its non-catchall counterpart, nft_mapelem_activate(). This flaw affects Linux kernel versions that enable user namespaces and nftables, allowing for local privilege escalation from an unprivileged user.

Impact

Exploitation of this vulnerability leads to local privilege escalation from an unprivileged user, taking advantage of user namespaces and nftables on affected distributions.

Reproduction

To reproduce this vulnerability, an unprivileged user must create a user namespace and use nftables to manage network traffic. During this process, the nft_map_catchall_activate() function will incorrectly process active elements instead of skipping them, which can be exploited to escalate privileges.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.