CVE-2024-39504
📋 TL;DR
This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's netfilter nft_inner component. Attackers can trigger a kernel crash (denial of service) by sending specially crafted netlink messages that lack mandatory attributes. Systems running vulnerable Linux kernel versions with netfilter enabled are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical or remote console access to reboot.
Likely Case
Local denial of service through kernel crash, requiring reboot to restore functionality.
If Mitigated
Minimal impact if proper access controls prevent unprivileged users from sending netlink messages to the kernel.
🎯 Exploit Status
Exploitation requires ability to send netlink messages to kernel, typically requiring CAP_NET_ADMIN capability or root access. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 39323f54cad29602917848346c71b087da92a19d, b30669fdea0ca03aa22995e6c99f7e7d9dee89ff, c4ab9da85b9df3692f861512fe6c9812f38b7471
Vendor Advisory: https://git.kernel.org/stable/c/39323f54cad29602917848346c71b087da92a19d
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check distribution-specific security advisories for patched kernel packages. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable nftables
linuxRemove nftables module to disable vulnerable functionality
modprobe -r nf_tables
echo 'blacklist nf_tables' >> /etc/modprobe.d/blacklist.conf
Restrict netlink access
linuxLimit which users/processes can send netlink messages via capability restrictions
setcap -r /path/to/binary cap_net_admin
Use SELinux/AppArmor to restrict netlink socket access
🧯 If You Can't Patch
- Implement strict access controls to prevent unprivileged users from obtaining CAP_NET_ADMIN capability
- Monitor for kernel panic/crash events and implement automated recovery procedures
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if nftables module is loaded: lsmod | grep nf_tables && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to one containing fix commits: git log --oneline | grep -E '39323f54cad29602917848346c71b087da92a19d|b30669fdea0ca03aa22995e6c99f7e7d9dee89ff|c4ab9da85b9df3692f861512fe6c9812f38b7471'📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- System crash/reboot events
- Netlink error messages related to nft_inner
Network Indicators:
- Unusual netlink socket activity from non-privileged processes
SIEM Query:
source="kernel" AND ("kernel panic" OR "Oops" OR "NULL pointer dereference") AND "nft"🔗 References
- https://git.kernel.org/stable/c/39323f54cad29602917848346c71b087da92a19d
- https://git.kernel.org/stable/c/b30669fdea0ca03aa22995e6c99f7e7d9dee89ff
- https://git.kernel.org/stable/c/c4ab9da85b9df3692f861512fe6c9812f38b7471
- https://git.kernel.org/stable/c/39323f54cad29602917848346c71b087da92a19d
- https://git.kernel.org/stable/c/b30669fdea0ca03aa22995e6c99f7e7d9dee89ff
- https://git.kernel.org/stable/c/c4ab9da85b9df3692f861512fe6c9812f38b7471
