{ "threat_severity" : "Moderate", "public_date" : "2024-04-24T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "id" : "2277166", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2277166" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-667", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", "A flaw was found in the Linux kernel’s Netfilter nf_tables module. The issue arises from improper mutex handling during the garbage collection (GC) process. The problem occurs between the critical functions nft_gc_seq_begin() and nft_gc_seq_end(), where a mutex lock is incorrectly released too early, leading to potential race conditions. This issue could allow an asynchronous GC worker to collect expired objects and improperly obtain the released commit lock within the same sequence, potentially causing system instability or data corruption.\nThis vulnerability can be exploited by attackers with local access, leading to unexpected behavior or even privilege escalation under certain conditions. The kernel patch for this issue moves the mutex release to the correct point, ensuring the sequence completes safely before releasing any locks." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5102", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5101", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.16.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4823", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.75.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-07-24T00:00:00Z", "advisory" : "RHSA-2024:4831", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26925\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26925\nhttps://lore.kernel.org/linux-cve-announce/2024042421-CVE-2024-26925-7c19@gregkh/T" ], "name" : "CVE-2024-26925", "csaw" : false }