Linux Kernel NFtables Immediate NF_QUEUE Verdict Handling Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nf_tables subsystem, has been addressed. This issue involved the improper handling of immediate NF_QUEUE verdicts, which are not utilized by user-space nftables tools. However, such verdicts could still be triggered, particularly within the arp family that lacks queue support. The vulnerability has been resolved by globally rejecting immediate NF_QUEUE verdicts.

Impact

The vulnerability could lead to unexpected behavior in network packet processing, particularly for ARP-related traffic, by allowing immediate NF_QUEUE verdicts to be applied where they are not supported.

Reproduction

The vulnerability can be reproduced by configuring nftables to use the NF_QUEUE verdict delivery method. Although the ARP family does not support queuing, it can still receive immediate NF_QUEUE verdicts, demonstrating the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.