Linux Kernel Act Ct Binding Vulnerability in Egress Qdiscs

A vulnerability in the Linux kernel's traffic control (net/sched) subsystem allows the act_ct component to be improperly bound to egress queuing disciplines (qdiscs). This issue arises because act_ct was not intended for egress use, yet some users are attaching it there. The vulnerability can lead to a use-after-free condition when packets, classified as 'consumed' by the defragmentation engine, are reprocessed later, potentially causing memory corruption.

Impact

The vulnerability can cause a use-after-free condition, leading to memory corruption.

Reproduction

To reproduce this vulnerability, attach the act_ct component to an egress qdisc. This can be done by configuring a traffic control filter that uses act_ct on a network interface's egress path. The act_ct will then be improperly bound, contrary to its intended use.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.