LiveActive security incident?Get immediate response
CVE Record

CVE-2024-44944: netfilter: ctnetlink: use helper function to calculate expect ID

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use helper function to calculate expect ID Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can leak a small part of a kernel memory address through netfilter connection-tracking expectation handling. That is not shown as remote code execution or active exploitation in the supplied sources, but kernel address leaks can weaken system hardening and support later attacks.

Executive priority

Treat as routine-to-important kernel hygiene, not an emergency based on supplied evidence. Patch through normal kernel maintenance, raising priority for shared hosting, security appliances, and exposed infrastructure dependent on netfilter.

Technical view

In netfilter ctnetlink, the delete expectation path did not use nf_expect_get_id() to calculate the expectation ID. The CVE states this leaks the least significant bit of the expectation object address to userspace. Fixes are referenced in Linux stable commits and downstream advisories.

Likely exposure

Exposure is most relevant to Linux systems where netfilter connection tracking expectation functionality is present and reachable by local users or management components. Exact affected distro kernels must be mapped against vendor packages because the bundle lists upstream commits and stable branch versions.

Exploitation context

The supplied sources do not show CISA KEV listing, public active exploitation, or a complete exploit path. The described impact is information disclosure to userspace, specifically part of a kernel object address, which may be useful only with other weaknesses.

Researcher notes

Evidence identifies an address-bit leak in ctnetlink expectation deletion. No CVSS, CWE, exploitability notes, or attack prerequisites are provided in the bundle. Avoid overstating impact; validate affectedness through exact kernel backport status rather than upstream version strings alone.

Mitigation direction

  • Update Linux kernels to vendor builds containing the referenced upstream stable fixes.
  • Check Debian and Siemens advisories where those platforms are in scope.
  • Prioritize internet-facing appliances or multi-tenant Linux hosts using netfilter heavily.
  • If updates are unavailable, monitor vendor guidance for supported mitigations.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, containers hosts, and embedded systems.
  • Compare installed kernels with vendor advisories and upstream fixed stable commits.
  • Confirm whether netfilter connection tracking expectations are enabled or used.
  • Review security scanners for CVE-2024-44944 after kernel package metadata updates.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-44944 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
16Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux7b115755fb9d3aff0ddcd18a5c4d83381362acce, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3c79107631db1f7fd32cf3f7368e4672004a3010, 3d8b3d0384f709126beef6b917b7e97c23f18e74, 36bbd861a402a8c5bd8f0365a5967d34cc492f09, 1922476beeeea46bebbe577215078736dd4231dc, f862c13c3c926d3008b2c2bcc746ab813108dfbf, b0a90cae081d7ee14eaa46524fb70f4e23ae8905, 4.19.44, 3.16.72, 4.4.191, 4.9.190, 4.14.120, 5.0.17unaffected
LinuxLinux5.1, 0, 4.19.320, 5.4.282, 5.10.224, 5.15.165, 6.1.103, 6.6.44, 6.10.3, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.