Login Sign Up

CVE-2024-57947

5.5 MEDIUM

📋 TL;DR

A memory initialization flaw in the Linux kernel's netfilter pipapo set implementation allows incorrect matching results when processing network filter rules. This affects Linux systems using nftables with specific set configurations where the first field size isn't the largest. The vulnerability could lead to incorrect packet filtering decisions.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected kernel versions not explicitly stated in CVE, but patches exist in stable kernel trees
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ✅ No
Notes: Only affects systems using nftables with pipapo sets where first field size is not the largest field size in the set configuration.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Incorrect firewall rule matching could allow unauthorized network traffic to bypass intended restrictions, potentially enabling network-based attacks or data exfiltration.

🟠

Likely Case

Inconsistent packet filtering behavior causing either unintended traffic blocking or unintended traffic allowance depending on specific nftables configuration.

🟢

If Mitigated

Minimal impact if proper network segmentation and defense-in-depth controls are implemented alongside nftables filtering.

🌐 Internet-Facing: MEDIUM - Affects firewall functionality but requires specific nftables configurations and exploitation would only affect packet filtering decisions.
🏢 Internal Only: MEDIUM - Same impact potential but within internal network boundaries.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific nftables configuration and understanding of pipapo set implementation. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits: 69b6a67f7052, 77bf0c4ab928, 791a615b7ad2, 8058c88ac0df, 957a4d1c4c58)

Vendor Advisory: https://git.kernel.org/stable/c/69b6a67f7052905e928d75a0c5871de50e686986

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable affected nftables configurations

linux

Avoid using nftables pipapo sets where first field size is not the largest field size

Review nftables rules for pipapo set usage
Modify rules to avoid vulnerable configurations

🧯 If You Can't Patch

  • Review and audit all nftables configurations for pipapo set usage patterns
  • Implement additional network security controls (IDS/IPS, segmentation) to compensate for potential filtering inconsistencies

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if using nftables with pipapo sets where first field size differs from largest field size

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the patch commits and test nftables functionality

📡 Detection & Monitoring

Log Indicators:

  • Unexpected nftables rule matches
  • Kernel oops or warnings related to netfilter

Network Indicators:

  • Unexpected network traffic patterns that should be blocked by firewall rules

SIEM Query:

Search for kernel logs containing 'netfilter' or 'nf_set_pipapo' errors

📊 Metadata

CVE ID: CVE-2024-57947
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-401
EPSS Score: 0.05% exploit probability (16th percentile)
Published: January 23, 2025
Last Updated: December 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57947, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)