{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-17T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info",
    "id" : "2281284",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281284"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\narp_process\nneigh_update\nskb = __skb_dequeue(&neigh->arp_queue)\nneigh_resolve_output(..., skb)\n...\nbr_nf_dev_xmit\nbr_nf_pre_routing_finish_bridge_slow\nskb->dev = nf_bridge->physindev\nbr_handle_frame_finish\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.", "CVE-2024-35839 is a flaw in the Linux kernel's Netfilter bridge functionality. It occurs when bridging certain packets, such as those involving destination NAT between virtual Ethernet interfaces. A mismatch between the network device associated with a packet and the neighbor's device can lead to incorrect handling, including references to freed memory. This issue could cause system crashes. The problem has been fixed by using safer methods to retrieve the network device during packet processing. Users should update their kernels to a patched version to avoid this vulnerability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8870",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.27.1.rt7.368.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8856",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.27.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-28T00:00:00Z",
    "advisory" : "RHSA-2024:5928",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.33.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6267",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.82.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6268",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.82.1.rt14.367.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35839\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35839\nhttps://lore.kernel.org/linux-cve-announce/2024051756-CVE-2024-35839-4194@gregkh/T" ],
  "name" : "CVE-2024-35839",
  "csaw" : false
}