Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject QUEUE/DROP verdict parameters This reverts commit e0abdadcc6e1. core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, or 0. Due to the reverted commit, its possible to provide a positive value, e.g. NF_ACCEPT (1), which results in use-after-free. Its not clear to me why this commit was made. NF_QUEUE is not used by nftables; "queue" rules in nftables will result in use of "nft_queue" expression. If we later need to allow specifiying errno values from userspace (do not know why), this has to call NF_DROP_GETERR and check that "err <= 0" holds true.
Уязвимость компоненты netfilter ядра операционной системы Linux в функции nft_verdict_init(), позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
ELSA-2024-3138: kernel security, bug fix, and enhancement update (MODERATE)
ELSA-2024-2394: kernel security, bug fix, and enhancement update (IMPORTANT)