In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane. This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu(). There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage.
The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Attack Parameters
Impact Assessment
CVSS Vector v3.1