CVE-2024-27012
📋 TL;DR
A memory leak vulnerability in the Linux kernel's netfilter nf_tables subsystem occurs when deleting a set fails during transaction abort. This affects systems using nf_tables firewall rules with set elements, potentially leading to resource exhaustion. All Linux systems with vulnerable kernel versions are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could cause kernel memory exhaustion leading to system instability, denial of service, or crashes.
Likely Case
Memory leak under specific error conditions when deleting nf_tables sets, gradually consuming kernel memory until system becomes unstable.
If Mitigated
Minimal impact with proper monitoring and restart procedures in place.
🎯 Exploit Status
Exploitation requires ability to create and delete nf_tables sets, typically requiring CAP_NET_ADMIN or root privileges. The vulnerability triggers during error handling in set deletion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees. Check specific distribution backports.
Vendor Advisory: https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For RHEL/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable nf_tables usage
linuxSwitch to legacy iptables instead of nf_tables if possible
# Use iptables-legacy instead of nftables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
Restrict nf_tables configuration
linuxLimit users who can configure nf_tables rules
# Remove CAP_NET_ADMIN from non-admin users
setcap -r CAP_NET_ADMIN /path/to/application
# Or use sudoers to restrict access
🧯 If You Can't Patch
- Monitor kernel memory usage and restart services if memory grows abnormally
- Implement strict access controls to prevent unauthorized users from modifying firewall rules
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if nf_tables is in use: uname -r && lsmod | grep nf_tablesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and check for memory leaks during nf_tables set operations📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about nft_setelem_data_deactivate
- Memory allocation failures in kernel logs
- System instability after firewall rule changes
Network Indicators:
- Unusual firewall rule modification patterns
SIEM Query:
source="kernel" AND ("nft_setelem_data_deactivate" OR "nf_tables" AND "WARNING")🔗 References
- https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637
- https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed
- https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637
- https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/
