CVE CyberSecurity Database News

CVE-2024-27020 - Race Condition Data Leak in Linux Kernel netfilter nftables (Explained)

Poster -

The Linux kernel is the heart of almost every Linux-based operating system. It’s huge, complex, and even tiny bugs can have major consequences. One recent discovery—CVE-2024-27020—shows how a small oversight in locking shared data could let attackers crash the system, leak sensitive information, or maybe even gain higher privileges. Here’s a simple, exclusive deep-dive into the bug, how it works, and why it’s important.

What is CVE-2024-27020?

CVE-2024-27020 is a vulnerability in the netfilter nftables subsystem of the Linux kernel (the part responsible for firewalling and packet filtering). It’s caused by a data race in the way expression types are looked up and unregistered. A data race can happen when two threads (or CPUs) try to read and write shared data at the same time—if that data isn’t properly protected, things can go seriously wrong.

The buggy code exists in the function __nft_expr_type_get(), which scans a list of expression types. At the same time, another process could remove an entry from that list via nft_unregister_expr(). If these two operations happen at just the wrong time, it could crash the kernel or read stale memory.

How Does the Race Happen?

Let’s look at some simplified code (not the real Linux code, but close enough for understanding):

// Pseudo-code

struct list_head nf_tables_expressions; // global linked list

struct nft_expr_type {
    struct list_head list;
    // ...
};

// called when querying an expression type
static struct nft_expr_type *__nft_expr_type_get(const char *name) {
    struct nft_expr_type *type;
    // BAD: just a normal list walk, not using any locks
    list_for_each_entry(type, &nf_tables_expressions, list) {
        if (strcmp(type->name, name) == )
            return type;
    }
    return NULL;
}

// called when removing/unregistering an expression type
void nft_unregister_expr(struct nft_expr_type *type) {
    list_del(&type->list);
}

So, __nft_expr_type_get() walks a list with no synchronization. At the *same time*, nft_unregister_expr() can yank items out of the list on another CPU. This is a classic race condition.

Crash: The list gets changed while being read. Boom, kernel panic!

- Leak/corruption: It might return a pointer to freed memory, leaking kernel addresses or letting an attacker mess with memory.

The Fix

The Linux kernel uses a smart locking mechanism called RCU (“Read-Copy-Update”) for safe concurrent access to data structures. The fix is to make the list walk use list_for_each_entry_rcu(), which is RCU-aware, and wrap lookups with rcu_read_lock()/rcu_read_unlock() to keep the list stable while reading.

Fixed code snippet

#include <linux/rcupdate.h>

static struct nft_expr_type *__nft_expr_type_get(const char *name) {
    struct nft_expr_type *type;
    // GOOD: Safe RCU-protected iteration
    list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
        if (strcmp(type->name, name) == )
            return type;
    }
    return NULL;
}

struct nft_expr_type *nft_expr_type_get(const char *name) {
    struct nft_expr_type *type;
    rcu_read_lock();
    type = __nft_expr_type_get(name);
    rcu_read_unlock();
    return type;
}

Is This Exploitable?

YES, under the right circumstances.
If an unprivileged user can trigger both expression lookups and unregisters (which depends on how nftables is exposed on your system), they could crash the kernel or potentially escalate privileges. In many server and cloud environments, even just being able to crash the kernel is a *big deal*.

How to Protect Your System

- Update your kernel. Check here for patches from upstream.
- If you can’t update, limit access to nftables/netfilter configuration to trusted users.
- Monitor vendor advisories for specific kernel updates—most major Linux distros patch these quickly.

Learn More

- Original Patch: kernel.org commit
- CVE Entry: NIST NVD page for CVE-2024-27020
- Linux netfilter docs: nftables wiki

Final Thoughts

CVE-2024-27020 is a textbook example of how parallel programming in the kernel can go wrong. Always use the right locking, and keep your systems up to date! Small vulnerabilities in rarely-touched components like nftables can have big security impacts, even on up-to-date servers.

If you manage Linux systems—especially firewalls, routers, or VPSes where users have some privileges—patching for CVE-2024-27020 should be on your checklist!

Timeline

Published on: 05/01/2024 06:15:20 UTC
Last modified on: 06/27/2024 12:15:23 UTC