Linux Kernel Netfilter nf_tables Catchall Element Handling Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nf_tables subsystem, has been addressed. The issue arose during transaction processing, where multiple catchall elements could exist simultaneously—one live and one pending. If the map containing these elements was being removed, it was necessary to toggle all catchall elements rather than just the first one. Failing to do so resulted in a warning and a stack trace indicating a problem with the nf_tables data release process.

Impact

The vulnerability could lead to improper handling of catchall elements, potentially causing warnings and disrupting normal nf_tables operations.

Reproduction

The vulnerability can be reproduced by creating a scenario where a map holding catchall elements is being removed while there are live and pending catchall elements. This will trigger the warning and stack trace that indicate the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.