Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2024-35839

Disclosure Date: May 17, 2024 •

CVE-2024-35839

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: bridge: replace physindev with physinif in nf_bridge_info

An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb’s skb->dev can be different to neigh’s
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.

As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn’t cleanup skbs from
different device’s neigh queue) we can crash on e.g. this stack:

arp_process
neigh_update

skb = __skb_dequeue(&neigh->arp_queue)
  neigh_resolve_output(..., skb)
    ...
      br_nf_dev_xmit
        br_nf_pre_routing_finish_bridge_slow
          skb->dev = nf_bridge->physindev
          br_handle_frame_finish

Let’s use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don’t get it and drop skb.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Linux

Products

Linux

References

Canonical

CVE-2024-35839 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35839)

Miscellaneous

https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b

https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547

https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c

https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86

Rapid7

Unknown

CVE-2024-35839

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-35839

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-35839

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-35839

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification