CVE-2024-26835: netfilter: nf_tables: set dormant flag on hook register failure
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: set dormant flag on hook register failure
We need to set the dormant flag again if we fail to register
the hooks.
During memory pressure hook registration can fail and we end up
with a table marked as active but no registered hooks.
On table/base chain deletion, nf_tables will attempt to unregister
the hook again which yields a warn splat from the nftables core.
Security readout for executives and security teams
Plain-English summary
CVE-2024-26835 is a Linux kernel nftables issue. Under memory pressure, hook registration can fail and leave a firewall table marked active even though hooks were not registered. Later deletion can trigger a kernel warning. The sources do not provide CVSS, CWE, or evidence of active exploitation.
Executive priority
Treat this as routine kernel maintenance unless internal evidence shows repeated nftables warnings or affected firewall hosts are highly critical. Prioritize normal patch windows and confirm vendor coverage rather than emergency response.
Technical view
In nf_tables, failed hook registration did not restore the table dormant flag. This creates inconsistent state: active table metadata without registered hooks. When the table or base chain is deleted, nftables attempts to unregister hooks again, producing a warning from nftables core. Stable kernel commits address the state-handling defect.
Likely exposure
Exposure is likely limited to Linux systems running affected kernel builds with nftables/netfilter functionality present. Actual exposure depends on distribution backports and kernel package status, not only upstream version numbers. Debian LTS published related kernel updates in June 2024.
Exploitation context
The source bundle marks KEV as false and cites no public active exploitation. The described trigger requires memory pressure and a hook-registration failure, but the sources do not document exploitability beyond the kernel warning condition.
Researcher notes
Evidence is limited to the CVE text, stable kernel commits, and Debian LTS notice. No CVSS, CWE, exploit status, or practical attack path is provided. Prefer patch-state validation over reproducing the memory-pressure failure path.
Mitigation direction
Apply vendor kernel updates that include the listed stable kernel fixes.
For custom kernels, review and incorporate the referenced upstream stable commits.
Check Debian LTS advisory applicability for Debian long-term-support systems.
Track vendor advisories if your distribution backports fixes without changing major kernel versions.
Validation and detection
Inventory Linux kernel versions and distribution package build numbers.
Confirm vendor advisories or changelogs mention CVE-2024-26835 or the referenced commits.
Identify systems using nftables or netfilter-heavy firewall configurations.
Review kernel logs for nftables warning patterns, without attempting to trigger the condition.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-26835 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.