CVE-2024-0607

Summary

A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the dst array. On each iteration, 8 bytes are written, but dst is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.

Affected Software

VendorProductVersion RangeStatus
0 < 6.7-rc2affected

Weaknesses

  • CWE-229: Improper Handling of Values

Workarounds

To mitigate this issue, it is possible to prevent the affected code from being loaded by blacklisting the kernel netfilter module.

For instructions relating to how to blacklist a kernel module refer to: https://access.redhat.com/solutions/41278

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References