In June 2024, a significant security flaw was resolved in the Linux kernel’s netfilter subsystem, more specifically within the "nf_tables" module. Tracked as CVE-2024-35900, this bug could cause invalid states when handling basechains in tables with dynamic flags, risking kernel panics and instability.
In this post, you’ll get a full, original breakdown of how this bug works, with code snippets, links to technical references, and step-by-step exploit details—all explained in clear, everyday language.
What is CVE-2024-35900?
CVE-2024-35900 is a vulnerability in Linux’s nf_tables subsystem. This module powers modern firewall operations (often as part of nftables). The issue arises when creating or updating tables and chains in specific sequences, resulting in inconsistent kernel states and potentially triggering dangerous kernel warnings or panics.
This bug was fixed in Linux kernel commit a3882f2f.
How Does the Vulnerability Work?
The essence: It’s possible to manipulate the dormant flag and base chains in such a way that the kernel tries to unregister a netfilter hook that’s already been unregistered, causing a serious state mismatch.
Imagine the following simplified nftables configuration
nft add table x
nft add chain x y { type filter hook input priority \; }
nft add table x { flags dormant\; }
nft add chain x w { type filter hook input priority 1\; }
You add another basechain w with a hook.
Result: The internal state becomes inconsistent! If the kernel then tries to unregister the hook for w, it finds it already gone. This can throw up the following warning and possibly destabilize your system:
WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:501 __nf_unregister_net_hook+x21a/x260
...
Call Trace:
? __warn+x9f/x1a
? __nf_unregister_net_hook+x21a/x260
...
nft_table_disable+x75/xf [nf_tables]
nf_tables_commit+x2571/x262 [nf_tables]
Original Linux kernel code reference
- net/netfilter/core.c
- net/netfilter/nf_tables_api.c
When toggling the dormant flag of a table
- The kernel disables hooks by iterating over all chains in the table, both old and newly created ones.
- If another basechain is added after making the table dormant, it goes outside the usual hook management logic.
- On commit, the kernel tries to unregister the hook for chain w even though it never properly registered it, generating an internal warning.
Here’s a simplified version of the critical kernel function
static void nft_table_disable(struct nft_table *table) {
list_for_each_entry(chain, &table->chains, list) {
if (chain->is_basechain)
nf_unregister_net_hook(...);
}
}
Because the list includes both existing and new chains, it may attempt to unregister hooks that either weren't registered or have already been unregistered, leading to warnings.
Exploit: Can It Be Used Maliciously?
Currently, no known remote exploit exists for privilege escalation or information leak, but this bug:
- Can be hit by unprivileged userspace with CAP_NET_ADMIN or root, potentially causing denial of service (kernel panic).
- Undermines kernel integrity: Even just triggering a warning in kernel space is a stability and security concern.
You can reproduce the warning in a test environment
nft add table x
nft add chain x y { type filter hook input priority \; }
nft add table x { flags dormant\; }
nft add chain x w { type filter hook input priority 1\; }
# Now, observe the kernel logs for WARNING
Always test in VMs or sandboxes—never on critical systems.
Patch and Mitigation
Upgrades:
This bug has been fixed in mainline Linux kernel as per this commit and tagged for backporting into stable kernels (see stable mailing list thread). Distributions are rolling out patches.
Workaround:
- Don’t mix basechain creation and table dormant flag toggling in the same table within a transaction.
Upstream Commit:
netfilter: nf_tables: reject new basechain after table flag update (commit)
nftables Documentation:
Original LKML Post and Patch Thread:
LKML Patch
- CVE Details entry (as it becomes available)
Summary
CVE-2024-35900 is a logic flaw with Linux’s nf_tables, allowing inconsistent states when adding basechains after toggling table dormant flag. While mostly causing warnings and possible panics, its impact stresses the importance of careful firewall management and prompt kernel patching.
Keep your systems updated and review your nftables scripting practices until all environments receive patched kernels.
Timeline
Published on: 05/19/2024 09:15:10 UTC
Last modified on: 05/04/2025 09:07:57 UTC