LiveActive security incident?Get immediate response
CVE Record

CVE-2024-27012: netfilter: nf_tables: restore set elements when delete set fails

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-27012 is a Linux kernel nf_tables bug where a failed set deletion can leave internal set elements in the wrong state. The public record shows a kernel warning and object mapping memory leak. No CVSS score, CWE, or KEV active-exploitation listing is provided in the source bundle.

Executive priority

Schedule remediation through the normal kernel patch process, with higher priority for shared, exposed, or security-sensitive Linux systems. Current evidence is incomplete for business-impact scoring because the public bundle lacks CVSS, CWE, exploitation claims, and clear attacker impact.

Technical view

The nf_tables abort path used set->ops->walk() in a way that skipped the wrong generation of elements. nft_mapelem_activate() could fail to restore original refcounts after delete-set failure. The fix changes iterator callback logic, reverses activation filtering, toggles the next-generation bit on delete, and clears it during abort restoration.

Likely exposure

Exposure is Linux systems running affected kernel builds with nf_tables present. The bundle names Linux kernel 6.4, 6.1.176, 6.8.8, and 6.9 as affected, while other listed stable versions and commits are marked unaffected. Distro kernel package mapping must be verified separately.

Exploitation context

The source bundle does not claim active exploitation and marks KEV false. It also does not provide exploitability details, prerequisites, or attacker impact. Treat this as a kernel maintenance vulnerability requiring vendor tracking, not as confirmed in-the-wild activity.

Researcher notes

The record is precise about the faulty abort-path state restoration but sparse on security impact. Avoid assuming privilege escalation or denial of service without additional vendor evidence. Useful follow-up is correlating the referenced stable commits with distribution kernel changelogs and local kernel configuration.

Mitigation direction

  • Check the running kernel against vendor advisories for CVE-2024-27012.
  • Apply the relevant stable kernel or distribution kernel update.
  • Prioritize hosts using nftables or netfilter-heavy workloads.
  • Track Fedora and Linux stable announcements for package-specific fixes.
  • If patch timing is blocked, follow vendor guidance for interim controls.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Confirm whether nf_tables support is enabled or loaded.
  • Map distro package versions to the listed Linux stable fixes.
  • Review kernel logs for nf_tables warnings resembling the source trace.
  • Verify updated hosts boot into the remediated kernel.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-27012 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd60be2da67d172aecf866302c91ea11533eca4d9, 628bd3e49cba1c066228e23d71a852c23e26da73, 628bd3e49cba1c066228e23d71a852c23e26da73, bc9f791d2593f17e39f87c6e2b3a36549a3705b1, 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50, a136b7942ad2a50de708f76ea299ccb45ac7a7f9, 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8, dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41, 6.1.36, 4.19.316, 5.4.262, 5.10.188, 5.15.121, 6.3.10unaffected
LinuxLinux6.4, 0, 6.1.176, 6.8.8, 6.9affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.