Linux Kernel Netfilter nft_ct Module Improper Packet Handling Vulnerability

A vulnerability exists in the Linux kernel's netfilter component, specifically within the nft_ct module. This issue arises when packets enqueued in nfqueue hold references to connection tracking (conntrack) objects that can be prematurely removed, leading to stale references. The problem is particularly relevant for templates that define the conntrack zone, as well as conntrack timeout policies and helpers. To mitigate this, the kernel now drops enqueued packets when such objects are removed, preventing stale references. This change ensures that the removal of conntrack-related objects does not leave behind invalid references that could cause issues.

Impact

The vulnerability could lead to improper handling of network packets, potentially allowing for the creation of stale references to conntrack objects. This could disrupt normal network processing and cause unexpected behavior in applications relying on netfilter's connection tracking.