CVE-2024-56655: netfilter: nf_tables: do not defer rule destruction via call_rcu
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: do not defer rule destruction via call_rcu
nf_tables_chain_destroy can sleep, it can't be used from call_rcu
callbacks.
Moreover, nf_tables_rule_release() is only safe for error unwinding,
while transaction mutex is held and the to-be-desroyed rule was not
exposed to either dataplane or dumps, as it deactives+frees without
the required synchronize_rcu() in-between.
nft_rule_expr_deactivate() callbacks will change ->use counters
of other chains/sets, see e.g. nft_lookup .deactivate callback, these
must be serialized via transaction mutex.
Also add a few lockdep asserts to make this more explicit.
Calling synchronize_rcu() isn't ideal, but fixing this without is hard
and way more intrusive. As-is, we can get:
WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x..
Workqueue: events nf_tables_trans_destroy_work
RIP: 0010:nft_set_destroy+0x3fe/0x5c0
Call Trace:
<TASK>
nf_tables_trans_destroy_work+0x6b7/0xad0
process_one_work+0x64a/0xce0
worker_thread+0x613/0x10d0
In case the synchronize_rcu becomes an issue, we can explore alternatives.
One way would be to allocate nft_trans_rule objects + one nft_trans_chain
object, deactivate the rules + the chain and then defer the freeing to the
nft destroy workqueue. We'd still need to keep the synchronize_rcu path as
a fallback to handle -ENOMEM corner cases though.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel nf_tables cleanup bug. The source describes unsafe rule destruction timing around RCU callbacks and locking. Business urgency depends on where affected kernels run and whether nftables is exposed to untrusted local users or workloads. No active exploitation is reported in the provided sources.
Executive priority
Treat as a kernel maintenance item with uncertain severity. Patch during the next prioritized Linux update cycle, faster for multi-tenant, container-heavy, or security-sensitive hosts where local kernel bugs carry higher business risk.
Technical view
nf_tables_chain_destroy can sleep and was used from call_rcu callbacks. The fix avoids deferred rule destruction in that path, adds synchronization, and clarifies transaction mutex requirements because deactivate callbacks can change chain or set use counters.
Likely exposure
Exposure is likely limited to Linux systems running affected kernel builds with nf_tables available. The affected version data names Linux and includes 6.12, 6.6.67, 6.12.6, and 6.13, but distro backports must be checked.
Exploitation context
The source bundle does not include CVSS, CWE, proof of exploitation, or CISA KEV listing. It shows a kernel warning in nf_tables transaction destroy work, but does not establish remote exploitability, privilege escalation, or a public exploit.
Researcher notes
The evidence supports a concurrency/lifetime fix in nf_tables rule destruction, not a complete exploit narrative. Version metadata is incomplete and should be reconciled against kernel commit ancestry and distribution-specific backports before declaring assets affected or fixed.
Mitigation direction
Check your Linux vendor advisory for CVE-2024-56655 coverage.
Upgrade or backport the relevant stable kernel fix commits.
Prioritize hosts using nftables, containers, or untrusted local workloads.
Restrict nftables administration to trusted privileged users.
Monitor kernels for nf_tables or nft_set_destroy warnings until patched.
Validation and detection
Inventory kernel versions across servers, images, and appliances.
Confirm whether distro kernels include the referenced stable commits.
Identify systems with nf_tables enabled or nft rules configured.
Review kernel logs for nf_tables transaction destroy warnings.
Track remediation status separately for upstream and vendor kernels.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-56655 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 27, 2024, 15:06 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.