---

Introduction

If you run Linux in any form, chances are you rely on netfilter—the built-in firewall engine. Recently, a vulnerability tagged CVE-2024-26581 was discovered and quickly patched in the kernel code. This post breaks down how the bug works, why it’s dangerous, and how it could be exploited. We’ll also look at the relevant code, show you how it was fixed, and link useful references for further reading.

What Is CVE-2024-26581?

CVE-2024-26581 affects the netfilter’s rbtree set infrastructure. In particular, it deals with how the Linux kernel manages *interval sets* in firewall rules using a data structure called an rbtree.

The core issue: the garbage collector (GC) might remove what's called an *end interval element* too soon, right after it’s been created, leaving the set in an inconsistent state. If an attacker manipulates set elements in the right sequence, it's possible to expose kernel memory or cause denial of service.

Understanding netfilter’s rbtree Sets and “End Intervals”

Netfilter’s nftables subsystem allows you to define sets with intervals, like "block all IPs from 10...1 to 10...255". Under the hood, these are managed by a self-balancing rbtree.

When you insert intervals, there’s a special “end interval element” to mark the boundary. This bug is about what happens when *garbage collection* mistakenly erases this boundary if it’s not fully established yet.

The Bug, In Simple Terms

When you add a new interval in a transaction (a batch operation), it creates a pending “end interval element.” The garbage collector doesn't notice it isn’t active yet, so it might delete it *immediately*. That breaks the interval's integrity and can result in use-after-free, information leaks, or crashes.

Original problematic code (from net/netfilter/nft_set_rbtree.c)

/* rbtree lazy garbage collection */
struct nft_rbtree { ... };

static void nft_rbtree_gc_elem(struct nft_set *set, void *elem, unsigned long gc_seq)
{
    struct nft_rbtree_elem *rbe = elem;
    /* ... */
    if (nft_rbtree_interval_end(rbe)) {
        /* End interval element, but is it active? */
        if (!nft_set_elem_active(set, elem)) {
            /*
             * Was just added in this transaction -- skip it!
             */
            return;
        }
        /* ... removal logic ... */
    }
    /* ... */
}

The key addition (the fix) is the check to see if the interval end is actually active

if (nft_rbtree_interval_end(rbe) && !nft_set_elem_active(set, elem))
    return;

This ensures the GC *skips* those boundary elements “just added” and not ready for collection.

An attacker with CAP_NET_ADMIN (privileges to mess with netfilter) could, in theory

1. Queue up rules/intervals in a transaction

Cause the GC to free the end interval element early

4. Potentially write/read freed memory, crash the kernel, or leak kernel data

In lab tests, this scenario can turn into a Denial of Service (DoS), remote information leak, or even open up more advanced attacks, depending on your kernel version and configuration.

Proof-of-Concept Snippet (Conceptual)

An actual exploit would be complicated and dangerous, but here's a high-level pseudocode showing the race logic:

# Setup: Create a set with interval support
nft add table inet x
nft add set inet x y { type ipv4_addr\; flags interval\; }

# Insert intervals in a transaction (potential race with GC)
nft -f - << EOF
add element inet x y { 192.168.1.10-192.168.1.20 }
add element inet x y { 192.168.1.21-192.168.1.30 }
EOF

# Trigger garbage collection (GC) -- special timing required!
(trigger nft_gc flow here)

# Attempt to read deleted memory or cause set inconsistency
nft list set inet x y

Note: *Real exploitation requires intricate timing and privileges.*

It’s a kernel bug, so you need to update. Patches landed in

- Upstream commit (kernel.org)

Mainline: v6.8-rc1+

- Stable branches: 6.7.3 / 6.6.17 and up

How to fix:
Update to a kernel with the patch applied. If you use custom builds, cherry-pick the commit fae64bf2a2be.

References

1. Kernel Patch/Commit:
netfilter: nft_set_rbtree: skip end interval element from gc

CVE Details:

CVE-2024-26581 at CVE.org

netfilter project:

nftables official site
4. Linux kernel stable mailing list post

Summary

CVE-2024-26581 is a subtle but high-impact bug in Linux’s firewall code. It shows how important it is to handle “in-progress” operations correctly, especially in complex systems like netfilter. Update your kernel if you use interval sets, especially if you expose netfilter to container workloads or untrusted users.

Timeline

Published on: 02/20/2024 13:15:09 UTC
Last modified on: 04/19/2024 17:41:29 UTC