LiveActive security incident?Get immediate response
CVE Record

CVE-2024-56655: netfilter: nf_tables: do not defer rule destruction via call_rcu

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not defer rule destruction via call_rcu nf_tables_chain_destroy can sleep, it can't be used from call_rcu callbacks. Moreover, nf_tables_rule_release() is only safe for error unwinding, while transaction mutex is held and the to-be-desroyed rule was not exposed to either dataplane or dumps, as it deactives+frees without the required synchronize_rcu() in-between. nft_rule_expr_deactivate() callbacks will change ->use counters of other chains/sets, see e.g. nft_lookup .deactivate callback, these must be serialized via transaction mutex. Also add a few lockdep asserts to make this more explicit. Calling synchronize_rcu() isn't ideal, but fixing this without is hard and way more intrusive. As-is, we can get: WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x.. Workqueue: events nf_tables_trans_destroy_work RIP: 0010:nft_set_destroy+0x3fe/0x5c0 Call Trace: <TASK> nf_tables_trans_destroy_work+0x6b7/0xad0 process_one_work+0x64a/0xce0 worker_thread+0x613/0x10d0 In case the synchronize_rcu becomes an issue, we can explore alternatives. One way would be to allocate nft_trans_rule objects + one nft_trans_chain object, deactivate the rules + the chain and then defer the freeing to the nft destroy workqueue. We'd still need to keep the synchronize_rcu path as a fallback to handle -ENOMEM corner cases though.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel nf_tables cleanup bug. The source describes unsafe rule destruction timing around RCU callbacks and locking. Business urgency depends on where affected kernels run and whether nftables is exposed to untrusted local users or workloads. No active exploitation is reported in the provided sources.

Executive priority

Treat as a kernel maintenance item with uncertain severity. Patch during the next prioritized Linux update cycle, faster for multi-tenant, container-heavy, or security-sensitive hosts where local kernel bugs carry higher business risk.

Technical view

nf_tables_chain_destroy can sleep and was used from call_rcu callbacks. The fix avoids deferred rule destruction in that path, adds synchronization, and clarifies transaction mutex requirements because deactivate callbacks can change chain or set use counters.

Likely exposure

Exposure is likely limited to Linux systems running affected kernel builds with nf_tables available. The affected version data names Linux and includes 6.12, 6.6.67, 6.12.6, and 6.13, but distro backports must be checked.

Exploitation context

The source bundle does not include CVSS, CWE, proof of exploitation, or CISA KEV listing. It shows a kernel warning in nf_tables transaction destroy work, but does not establish remote exploitability, privilege escalation, or a public exploit.

Researcher notes

The evidence supports a concurrency/lifetime fix in nf_tables rule destruction, not a complete exploit narrative. Version metadata is incomplete and should be reconciled against kernel commit ancestry and distribution-specific backports before declaring assets affected or fixed.

Mitigation direction

  • Check your Linux vendor advisory for CVE-2024-56655 coverage.
  • Upgrade or backport the relevant stable kernel fix commits.
  • Prioritize hosts using nftables, containers, or untrusted local workloads.
  • Restrict nftables administration to trusted privileged users.
  • Monitor kernels for nf_tables or nft_set_destroy warnings until patched.

Validation and detection

  • Inventory kernel versions across servers, images, and appliances.
  • Confirm whether distro kernels include the referenced stable commits.
  • Identify systems with nf_tables enabled or nft rules configured.
  • Review kernel logs for nf_tables transaction destroy warnings.
  • Track remediation status separately for upstream and vendor kernels.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-56655 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux9eee6097ffb26cdd2adb988c0d378fa0d650c737, 558f503f707f481bbf40efa74a938b8021df841d, a394c160d57f4b083bd904a22802f6fb7f5b3cea, e6c32a64d61184c2bdf89442b3d31ef530afba34, bfd05c68e4c6320304e9f371ffa356b6e4b9cc53, c03d278fdf35e73dd0ec543b9b556876b9d9a8dc, c03d278fdf35e73dd0ec543b9b556876b9d9a8dc, cb401e5799e0acacb405f2128097e9c4ccf82f8a, 6.6.61, 6.11.8unaffected
LinuxLinux6.12, 0, 6.6.67, 6.12.6, 6.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.