Linux Kernel Netfilter nf_tables Unconditional Element Count Bump Vulnerability

A vulnerability exists in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. The issue arises because the element count is unconditionally incremented before adding a new element to a set. If the set is already full, the new element is published and then removed without waiting for the RCU grace period, potentially allowing an RCU reader to access it prematurely. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to a race condition, where an RCU reader might access a set element that has been removed but not yet fully synchronized, potentially causing undefined behavior or data corruption.

Reproduction

To reproduce this vulnerability, add elements to an nf_tables set that is already at maximum capacity. The element count will be incorrectly managed, allowing for a new element to be published and removed without proper synchronization, creating a race condition.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.