CVE-2024-56655

Summary

CVE-2024-56655 is a vulnerability affecting the Linux kernel's netfilter subsystem. The issue lies in the nf_tables component, where the destruction of rules and chains is not properly synchronized. Specifically, nf_tables_chain_destroy can sleep, making it unsuitable for call_rcu callbacks. Additionally, the nft_rule_expr_deactivate callbacks and nft_set_destroy function may cause issues due to unsynchronized counter updates and the need for serialization via the transaction mutex. This vulnerability can result in warnings and call traces related to synchronize_rcu, and potential workarounds include deferring freeing to the nft destroy workqueue and exploring alternative methods to handle memory allocation failures.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.