In March 2024, security researchers and kernel developers identified and patched a vulnerability in the Linux kernel’s netfilter subsystem, specifically involving nft_set_pipapo. Registered as CVE-2024-26809, this flaw could lead to serious memory corruption problems, such as double free, which malicious actors may exploit for privilege escalation or system crash. This long read explains the vulnerability, its technical background, the fix, as well as insights and practical impact.

What is netfilter and nft_set_pipapo?

Linux’s netfilter is a core framework for packet filtering, network address translation, and other packet mangling. Within netfilter, nf_tables provides a powerful, flexible way for defining firewall rules, and one of its components is the nft_set_pipapo— an optimized set backend designed to manage large tables for fast packet matching.

The Problem: Double-Free Flaw in nft_set_pipapo

The vulnerability revolves around how nft_set_pipapo handles the destruction or releasing (“freeing”) of elements in its internal table structure, especially when snapshot clones and abort operations intersect.

When a clone is made of a set, it provides a current look (snapshot) view of the table.

- Upon destroying the set, the code must ensure it only releases elements from the correct code path (the destroy path), not from the abort path as well.
- Without this differentiation, the same element might be freed twice — a classic "double free" vulnerability.
- Double free can be exploited to corrupt kernel memory, potentially leading to arbitrary code execution or kernel panic.

Here’s a summary-style look at the problematic logic, in pseudocode for clarity

function nft_set_pipapo_destroy(set):
    if set is cloned:
        free_elements_only_once(set)
    else:
        free_elements(set)

function nft_set_pipapo_abort(set):
    if set is cloned:
        // Should not free again
        return
    free_elements(set)

The fix was introduced through this commit

> netfilter: nft_set_pipapo: release elements in clone only from destroy path
> Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice.

Key Changes

- The destroy and abort paths were separated so that elements in a clone are released only in the destroy path—never in the abort path.

This fix depends on

- 212ed75dc5fb

- Which comes after

- 9827ae6e23b

Real-World Exploitation Risk

Who is affected:
All Linux-based systems using affected kernel versions with nftables in use, especially on servers with complex firewall rules.

Attack Scenario:
A local or remote attacker (with certain netfilter privileges) can manipulate nftables rulesets or force abort and destroy paths in a crafted way, causing a double free and potentially executing arbitrary code in kernel space or crashing the system.

### Proof-of-Concept/Exploit Example

Due to responsible disclosure, no fully working public exploit has been published. However, a simplified (and safe) explainer of how such a bug could be triggered looks like this:

# Unsafe firewall rule manipulation example
nft add table ip mytable
nft add set ip mytable myset { type ipv4_addr \; }
# force clone and abort/destroy in quick succession by scripting
for i in $(seq 1 100); do
   nft add element ip mytable myset { 1.2.3.4 }
   nft delete set ip mytable myset
done
# a vulnerable kernel could crash or behave unpredictably

How to Patch

To resolve, upgrade to a Linux kernel which includes or is based upon commit 212ed75dc5fb (March 2024 or later mainline). Most distributions will backport this fix; watch for updates referencing CVE-2024-26809.

uname -r   # Check your kernel version
# On Ubuntu/Debian
sudo apt update && sudo apt full-upgrade
# On RHEL/CentOS
sudo dnf update

References

- CVE-2024-26809 at CVE Details
- Kernel mainline commit 212ed75dc5fb
- netfilter/nftables documentation
- nf_tables source code

Conclusion

CVE-2024-26809 underlines the importance of careful resource management in the Linux kernel, especially in subsystems exposed to frequent or complex user interactions like netfilter. All administrators and users of nftables should apply security updates promptly. Even relatively hidden bugs like double free can become catastrophic if discovered and leveraged by attackers.

For continued protection, always stay updated on kernel security advisories— especially for foundational components like networking and firewall control.

Timeline

Published on: 04/04/2024 10:15:09 UTC
Last modified on: 03/19/2025 16:19:56 UTC