LiveActive security incident?Get immediate response
CVE Record

CVE-2024-42070: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-42070 is a Linux kernel netfilter nf_tables validation flaw. The kernel fix says incomplete validation can leak a pointer to a chain object through registers. That is a kernel information disclosure issue, but the provided sources do not give CVSS, attacker prerequisites, or confirmed exploitation.

Executive priority

Schedule remediation in the normal kernel patch cycle, faster for shared infrastructure and security appliances. The issue is not listed as actively exploited in the provided sources, but kernel pointer leaks can support broader attack chains when paired with other bugs.

Technical view

The issue is in nf_tables register store validation for NFT_DATA_VALUE. Validation was conditional even though set datatypes resolve to NFT_DATA_VALUE or NFT_DATA_VERDICT. Linux added helper logic to infer register type from set datatype and fully validate stores, preventing chain object pointer leakage.

Likely exposure

Exposure is likely limited to systems running affected Linux kernel builds where nf_tables is present and reachable. The bundle lists Linux as affected and includes multiple stable kernel fixes plus Debian LTS and Siemens advisories. Confirm exposure through distro or device-vendor kernel advisories, because backports may not match upstream version strings.

Exploitation context

The source bundle does not show CISA KEV listing, public exploitation, exploit maturity, or remote attackability. It supports only that a kernel pointer can be leaked through nf_tables registers before the fix. Treat as a kernel hardening and information-disclosure remediation item, not as confirmed active exploitation.

Researcher notes

Evidence is strongest for root cause and upstream remediation because the kernel commit text is explicit. Evidence is incomplete for exploitability, required privileges, affected configuration, and severity scoring. Avoid assuming remote exploitability or active attacks without additional vendor or threat-intelligence confirmation.

Mitigation direction

  • Update affected Linux kernels through the operating system or device vendor channel.
  • For custom kernels, include the relevant upstream stable nf_tables fix commit.
  • Review Debian LTS guidance if maintaining Debian-based long-term-support systems.
  • Review Siemens advisories for affected Siemens products and vendor-specific update availability.
  • Prioritize internet-facing, multi-user, container-host, and appliance fleets for vendor validation.

Validation and detection

  • Inventory Linux kernel versions and vendor build identifiers across servers, appliances, and containers hosts.
  • Check whether the vendor advisory marks the installed kernel build as fixed or affected.
  • Confirm nf_tables/netfilter exposure according to the platform’s firewall and namespace configuration.
  • Validate that deployed kernel packages include the referenced stable fix or vendor backport.
  • Document exceptions where vendor guidance is unavailable and track them for follow-up.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-42070 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96, 96518518cc417bb0a8c80b9fb736202e28acdf96unaffected
LinuxLinux3.13, 0, 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.97, 6.6.37, 6.9.8, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.