CVE-2024-0193

medium

Published 2024-03-12 · Modified 2026-05-15

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

6.7

Description

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.

Predictions

Exploit likelihood

66%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description kernel: netfilter: use-after-free in nft_trans_gc_catchall_sync leads to privilege escalation Red Hat statement The upstream commit that introduced this flaw (5f68718b34a5 "netfilter: nf_tables: GC transaction API to avoid race with control plane") is not included in any shipped kernel releases of Red Hat Enterprise Linux 6, 7, and 8. Only local users with `CAP_NET_ADMIN` capability…

Description

kernel: netfilter: use-after-free in nft_trans_gc_catchall_sync leads to privilege escalation

Red Hat statement

The upstream commit that introduced this flaw (5f68718b34a5 "netfilter: nf_tables: GC transaction API to avoid race with control plane") is not included in any shipped kernel releases of Red Hat Enterprise Linux 6, 7, and 8. Only local users with `CAP_NET_ADMIN` capability or root can trigger this issue. On Red Hat Enterprise Linux, local unprivileged users can exploit unprivileged user namespaces (CONFIG_USER_NS) to grant themselves this capability. The OpenShift Container Platform (OCP) control planes or master machines are based on Red Hat Enterprise Linux CoreOS (RHCOS) that consists primarily of RHEL components, therefore, it is also affected by this kernel vulnerability. A successful exploit needs necessary privileges (CAP_NET_ADMIN) and direct, local access. A local user in RHCOS is already a root with full permissions, hence existence of this vulnerability does not bring any value from the potential attacker perspective. From the OpenShift containers perspective, this vulnerability cannot be exploited as in OpenShift the cluster processes on the node are namespaced, which means that switching the namespace in the running OpenShift container will not bring necessary capabilities. This means that for OpenShift, the impact of this vulnerability is Low. Similar to the CVE-2023-32233 vulnerability, this has been explained in the following blog post as an example of a "Container escape vulnerability": https://www.redhat.com/en/blog/containers-vulnerability-risk-assessment

CVSS v3: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-362.24.1.el9_3`	RHSA-2024:1248	2024-03-12T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-362.24.1.el9_3`	RHSA-2024:1248	2024-03-12T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`kernel-0:5.14.0-70.105.1.el9_0`	RHSA-2024:4415	2024-07-09T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`kernel-rt-0:5.14.0-70.105.1.rt21.177.el9_0`	RHSA-2024:4412	2024-07-09T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support	`kernel-0:5.14.0-284.55.1.el9_2`	RHSA-2024:1018	2024-02-28T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support	`kernel-rt-0:5.14.0-284.55.1.rt14.340.el9_2`	RHSA-2024:1019	2024-02-28T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/cluster-logging-operator-bundle:v5.8.6-22`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/cluster-logging-rhel9-operator:v5.8.6-11`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/elasticsearch6-rhel9:v6.8.1-407`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/elasticsearch-operator-bundle:v5.8.6-19`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/elasticsearch-proxy-rhel9:v1.0.0-479`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/elasticsearch-rhel9-operator:v5.8.6-7`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/eventrouter-rhel9:v0.4.0-247`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/fluentd-rhel9:v5.8.6-5`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-227`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/logging-curator5-rhel9:v5.8.1-470`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/logging-loki-rhel9:v2.9.6-14`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/logging-view-plugin-rhel9:v5.8.6-2`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/loki-operator-bundle:v5.8.6-24`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/loki-rhel9-operator:v5.8.6-10`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/lokistack-gateway-rhel9:v0.1.0-525`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/opa-openshift-rhel9:v0.1.0-224`	RHSA-2024:2094	2024-05-01T00:00:00Z
RHOL-5.8-RHEL-9	`openshift-logging/vector-rhel9:v0.28.1-56`	RHSA-2024:2094	2024-05-01T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`kernel`	Not affected
Red Hat Enterprise Linux 7	`kernel`	Not affected
Red Hat Enterprise Linux 7	`kernel-rt`	Not affected
Red Hat Enterprise Linux 8	`kernel`	Not affected
Red Hat Enterprise Linux 8	`kernel-rt`	Not affected
Red Hat Enterprise Linux 9	`kernel-rt`	Affected

Apply commands

bash fix

Apply RHSA-2024:1248 for Red Hat Enterprise Linux 9

yum update -y kernel
# or:
dnf upgrade -y kernel

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 6	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

Linux kernel Affected 1 release

Version	Status	Fixed in
—	Affected	`5.10.206`

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Red Hat Mixed 4 releases

Version	Status	Fixed in
9.6_aarch64	Affected	—
9.4_aarch64	Affected	—
9.0_aarch64	Affected	—
9	Fixed	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`6.6.11-1`
sid	Fixed	`6.6.11-1`
forky	Fixed	`6.6.11-1`
bullseye	Fixed	`5.10.205-1`
bookworm	Fixed	`6.1.69-1`

Rocky Linux Fixed 1 release

Version	Status	Fixed in
9	Fixed	—

Application impact

Vendor	Product	Versions
redhat	codeready_linux_builder_for_ibm_z_systems_eus	`9.2_s390x`
redhat	codeready_linux_builder_for_power_little_endian_eus	`9.2_ppc64le`
redhat	codeready_linux_builder_for_x86_64_eus	`9.2`
redhat	codeready_linux_builder_for_arm64	`9.0_aarch64`
redhat	codeready_linux_builder_for_arm64_eus	`9.4_aarch64`
redhat	codeready_linux_builder_for_arm64_eus	`9.6_aarch64`
redhat	codeready_linux_builder_for_ibm_z_systems	`9.0_s390x`
redhat	codeready_linux_builder_for_ibm_z_systems_eus	`9.4_s390x`
redhat	codeready_linux_builder_for_ibm_z_systems_eus	`9.6_s390x`
redhat	codeready_linux_builder_for_power_little_endian	`9.0_ppc64le`
redhat	codeready_linux_builder_for_power_little_endian_eus	`9.4_ppc64le`
redhat	codeready_linux_builder_for_power_little_endian_eus	`9.6_ppc64le`
redhat	codeready_linux_builder_for_x86_64_eus	`9.4`
redhat	codeready_linux_builder_for_x86_64_eus	`9.6`
redhat	logging_subsystem_for_red_hat_openshift	`5.0`
redhat	logging_subsystem_for_red_hat_openshift_for_arm_64	`5.0`
redhat	logging_subsystem_for_red_hat_openshift_for_ibm_power_little_endian	`5.0`
redhat	logging_subsystem_for_red_hat_openshift_for_ibm_z_and_linuxone	`5.0`

References

CWEs

CWE-416

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.