Linux Kernel Conntrack Netlink Interface Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the conntrack netlink interface. This issue arises in the 'ctnetlink_dump_exp_ct' function, which improperly manages references to connection tracking pointers during netlink dump operations. The vulnerability occurs because the function drops the conntrack reference too early, leading to a situation where a dereferenced pointer is accessed after it has been freed, causing a use-after-free condition. This flaw can be exploited when the netlink dump spans multiple rounds, allowing an attacker to manipulate the conntrack data and potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory area is accessed, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by initiating a netlink dump operation that spans multiple rounds. This can be done by sending a 'recvmsg' command that triggers the 'ctnetlink_exp_ct_dump_table' callback, which will attempt to access a conntrack pointer that has already been freed, causing a use-after-free error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.