LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26643: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-26643 is a Linux kernel netfilter/nf_tables race condition involving anonymous sets with timeouts. The public bundle does not provide CVSS, CWE, confirmed impact, or active exploitation evidence. Treat it as a kernel maintenance risk: prioritize systems on affected kernel lines and embedded products that depend on vendor kernel updates.

Executive priority

Prioritize normal-to-accelerated patch management for internet-facing, multi-tenant, appliance, and high-value Linux systems. Escalate only if a vendor advisory rates your specific product as severe or if exploitation evidence emerges.

Technical view

The issue is in nf_tables set teardown. Asynchronous rhashtable garbage collection can collect timed-out elements from anonymous sets while the commit path releases the set. The fix marks anonymous sets as dead during unbind and abort paths so async GC skips them. The bundle does not characterize resulting memory corruption, crash, or privilege impact.

Likely exposure

Exposure is Linux systems running kernel versions identified as affected in the CVE record, especially deployments using netfilter/nf_tables. Siemens also references the CVE for some products. The source bundle does not define required privileges, configuration prerequisites, or whether nftables must be actively used.

Exploitation context

The CVE record says KEV is false, and the provided sources do not claim active exploitation or public exploit availability. The issue was originally reported from a 6.1.x path involving pipapo sets with low timeouts, but the bundle says that path is not possible upstream after an earlier change.

Researcher notes

Key evidence is the upstream kernel fix description: async GC can race with anonymous set release, and the mitigation is the dead flag. Missing evidence includes CVSS, CWE, exploitability, required capabilities, and concrete impact. Avoid assuming privilege escalation or remote reachability from this bundle alone.

Mitigation direction

  • Inventory Linux kernel versions across servers, appliances, containers hosts, and embedded products.
  • Apply vendor-supported kernel updates containing the referenced stable fixes.
  • For Debian LTS systems, review the Debian advisory and update through supported channels.
  • For Siemens products, follow Siemens SSA-265688 product-specific guidance.
  • If no vendor fix is available, request vendor guidance rather than applying ad hoc kernel patches.

Validation and detection

  • Compare running kernel versions against the CVE affected and fixed version data.
  • Check distribution advisories for backported fixes, not only upstream version numbers.
  • Confirm whether systems use or expose nf_tables/netfilter functionality.
  • Track vendor appliance advisories for bundled Linux kernel updates.
  • Verify patch deployment through package inventory or kernel build metadata.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26643 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8da1b048f9a501d3d7d38c188ba09d7d0d5b8c27, bbdb3b65aa91aa0a32b212f27780b28987f2d94f, 448be0774882f95a74fa5eb7519761152add601b, d19e8bf3ea4114dd21fc35da21f398203d7f7df1, ea3eb9f2192e4fc33b795673e56c97a21987f868, 5f68718b34a531a556f2f50300ead2862278da26, 5f68718b34a531a556f2f50300ead2862278da26, 5f68718b34a531a556f2f50300ead2862278da26, 0624f190b5742a1527cd938295caa8dc5281d4cd, 5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.11unaffected
LinuxLinux6.5, 0, 5.4.274, 5.10.215, 5.15.154, 6.1.84, 6.6.24, 6.7.12, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.