CVE-2024-26643: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
While the rhashtable set gc runs asynchronously, a race allows it to
collect elements from anonymous sets with timeouts while it is being
released from the commit path.
Mingi Cho originally reported this issue in a different path in 6.1.x
with a pipapo set with low timeouts which is not possible upstream since
7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set
element timeout").
Fix this by setting on the dead flag for anonymous sets to skip async gc
in this case.
According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on
transaction abort"), Florian plans to accelerate abort path by releasing
objects via workqueue, therefore, this sets on the dead flag for abort
path too.
Security readout for executives and security teams
Plain-English summary
CVE-2024-26643 is a Linux kernel netfilter/nf_tables race condition involving anonymous sets with timeouts. The public bundle does not provide CVSS, CWE, confirmed impact, or active exploitation evidence. Treat it as a kernel maintenance risk: prioritize systems on affected kernel lines and embedded products that depend on vendor kernel updates.
Executive priority
Prioritize normal-to-accelerated patch management for internet-facing, multi-tenant, appliance, and high-value Linux systems. Escalate only if a vendor advisory rates your specific product as severe or if exploitation evidence emerges.
Technical view
The issue is in nf_tables set teardown. Asynchronous rhashtable garbage collection can collect timed-out elements from anonymous sets while the commit path releases the set. The fix marks anonymous sets as dead during unbind and abort paths so async GC skips them. The bundle does not characterize resulting memory corruption, crash, or privilege impact.
Likely exposure
Exposure is Linux systems running kernel versions identified as affected in the CVE record, especially deployments using netfilter/nf_tables. Siemens also references the CVE for some products. The source bundle does not define required privileges, configuration prerequisites, or whether nftables must be actively used.
Exploitation context
The CVE record says KEV is false, and the provided sources do not claim active exploitation or public exploit availability. The issue was originally reported from a 6.1.x path involving pipapo sets with low timeouts, but the bundle says that path is not possible upstream after an earlier change.
Researcher notes
Key evidence is the upstream kernel fix description: async GC can race with anonymous set release, and the mitigation is the dead flag. Missing evidence includes CVSS, CWE, exploitability, required capabilities, and concrete impact. Avoid assuming privilege escalation or remote reachability from this bundle alone.
Mitigation direction
Inventory Linux kernel versions across servers, appliances, containers hosts, and embedded products.
Apply vendor-supported kernel updates containing the referenced stable fixes.
For Debian LTS systems, review the Debian advisory and update through supported channels.
For Siemens products, follow Siemens SSA-265688 product-specific guidance.
If no vendor fix is available, request vendor guidance rather than applying ad hoc kernel patches.
Validation and detection
Compare running kernel versions against the CVE affected and fixed version data.
Check distribution advisories for backported fixes, not only upstream version numbers.
Confirm whether systems use or expose nf_tables/netfilter functionality.
Track vendor appliance advisories for bundled Linux kernel updates.
Verify patch deployment through package inventory or kernel build metadata.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-26643 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.