Linux Kernel Netfilter xt_CT Template Removal Vulnerability

A vulnerability exists in the Linux kernel's netfilter component, specifically within the xt_CT module. This issue arises when templates, which can be removed while packets are queued, are deleted. The vulnerability affects several versions of the Linux kernel. When a template rule is removed, any packets enqueued for processing can be left pending, leading to potential disruptions. The problem is particularly relevant for modules that handle connection tracking helpers or timeout policies, as these can be removed automatically under certain conditions. To address this, the kernel now includes a mechanism to flush these pending packets when a template is removed, ensuring that no packets are left in limbo.

Impact

The vulnerability could lead to packets being improperly handled or dropped, causing disruptions in network traffic management and potentially impacting applications relying on consistent packet processing.

Reproduction

The vulnerability can be reproduced by creating a template rule in the xt_CT module that involves connection tracking helpers or timeout policies. Once packets are enqueued for processing, the template rule can be removed, leaving the enqueued packets pending. This scenario can be simulated by manually removing the template while packets are still in the queue, particularly focusing on those templates that interact with connection tracking helpers or timeout policies.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux kernel documentation.