Linux Kernel Netfilter ctnetlink Netlink Policy Range Check Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the ctnetlink code paths, has been addressed. This issue involved improper manual range and mask validations that could lead to undefined behavior. The vulnerability allowed values outside the acceptable range to be processed, particularly in TCP connection tracking, which could disrupt normal operations. The netlink core has been updated to reject invalid values early and generate appropriate error messages. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability could cause undefined behavior in TCP connection tracking by allowing out-of-range values to be processed, potentially leading to incorrect state management or other unintended consequences.

Reproduction

The vulnerability can be reproduced by sending netlink messages to the ctnetlink interface that include TCP connection tracking information. If the messages contain values that exceed the defined limits, such as TCP states or window scales, the netlink core will not reject these invalid values, leading to undefined behavior.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.