CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-40993: netfilter: ipset: Fix suspicious rcu_dereference_protected()

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: Fix suspicious rcu_dereference_protected()

When destroying all sets, we are either in pernet exit phase or
are executing a "destroy all sets command" from userspace. The latter
was taken into account in ip_set_dereference() (nfnetlink mutex is held),
but the former was not. The patch adds the required check to
rcu_dereference_protected() in ip_set_dereference().

Classification

CVE ID: CVE-2024-40993

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.38% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://git.kernel.org/stable/c/3799d02ae4208af08e81310770d8754863a246a1
https://git.kernel.org/stable/c/72d9611968867cc4c5509e7708b1507d692b797a
https://git.kernel.org/stable/c/523bed6489e089dd8040e72453fb79da47b144c2
https://git.kernel.org/stable/c/788d585e62f487bc4536d454937f737b70d39a33
https://git.kernel.org/stable/c/94dd411c18d7fff9e411555d5c662d29416501e4
https://git.kernel.org/stable/c/3fc09e1ca854bc234e007a56e0f7431f5e2defb5
https://git.kernel.org/stable/c/8ecd06277a7664f4ef018abae3abd3451d64e7a6

Timeline

2024-12-20 00:40:19 UTC
CVE

netfilter: ipset: Fix suspicious rcu_dereference_protected()