CVE-2024-26834

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26834
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26834.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26834
Downstream
Published
2024-04-17T10:10:02Z
Modified
2025-10-14T13:51:09.237050Z
Summary
netfilter: nft_flow_offload: release dst in case direct xmit path is used
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftflowoffload: release dst in case direct xmit path is used

Direct xmit does not use it since it calls devqueuexmit() to send packets, hence it calls dst_release().

kmemleak reports:

unreferenced object 0xffff88814f440900 (size 184): comm "softirq", pid 0, jiffies 4294951896 hex dump (first 32 bytes): 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[............. 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P............. backtrace (crc cb2bf5d6): [<000000003ee17107>] kmemcachealloc+0x286/0x340 [<0000000021a5de2c>] dstalloc+0x43/0xb0 [<00000000f0671159>] rtdstalloc+0x2e/0x190 [<00000000fe5092c9>] _mkrouteoutput+0x244/0x980 [<000000005fb96fb0>] iprouteoutputflow+0xc0/0x160 [<0000000045367433>] nfiproute+0xf/0x30 [<0000000085da1d8e>] nfroute+0x2d/0x60 [<00000000d1ecd1cb>] nftflowroute+0x171/0x6a0 [nftflowoffload] [<00000000d9b2fb60>] nftflowoffloadeval+0x4e8/0x700 [nftflowoffload] [<000000009f447dbb>] exprcallopseval+0x53/0x330 [nftables] [<00000000072e1be6>] nftdochain+0x17c/0x840 [nftables] [<00000000d0551029>] nftdochaininet+0xa1/0x210 [nftables] [<0000000097c9d5c6>] nfhookslow+0x5b/0x160 [<0000000005eccab1>] ipforward+0x8b6/0x9b0 [<00000000553a269b>] iprcv+0x221/0x230 [<00000000412872e5>] _netifreceiveskbonecore+0xfe/0x110

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7c71b831220edeab7ce603d818dc1708d9ea4137
Fixed
13b57b5cd591d5b22f9bbf047b2922967de411f3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9c5662e95a8dcc232c3ef4deb21033badcd260f6
Fixed
a6cafdb49a7bbf4a88367db209703eee6941e023
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fa502c86566680ac62bc28ec883a069bf7a2aa5e
Fixed
9256ab9232e35a16af9c30fa4e522e6d1bd3605a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fa502c86566680ac62bc28ec883a069bf7a2aa5e
Fixed
2d17cf10179a7de6d8f0128168b84ad0b4a1863f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fa502c86566680ac62bc28ec883a069bf7a2aa5e
Fixed
8762785f459be1cfe6fcf7285c123aad6a3703f0

Affected versions

v6.*

v6.4
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13b57b5cd591d5b22f9bbf047b2922967de411f3",
        "signature_type": "Line",
        "id": "CVE-2024-26834-0f83f6dc",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "97512485592081900317251580165815826165",
                "26571660179545582358097050288055438518",
                "226468868860955007799613136027394234898",
                "49595600081167164179106160521023658084"
            ]
        },
        "target": {
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8762785f459be1cfe6fcf7285c123aad6a3703f0",
        "signature_type": "Line",
        "id": "CVE-2024-26834-0fc02339",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "97512485592081900317251580165815826165",
                "26571660179545582358097050288055438518",
                "226468868860955007799613136027394234898",
                "49595600081167164179106160521023658084"
            ]
        },
        "target": {
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d17cf10179a7de6d8f0128168b84ad0b4a1863f",
        "signature_type": "Line",
        "id": "CVE-2024-26834-60ca727e",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "97512485592081900317251580165815826165",
                "26571660179545582358097050288055438518",
                "226468868860955007799613136027394234898",
                "49595600081167164179106160521023658084"
            ]
        },
        "target": {
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6cafdb49a7bbf4a88367db209703eee6941e023",
        "signature_type": "Function",
        "id": "CVE-2024-26834-6b4ecadf",
        "digest": {
            "function_hash": "241721253803222964224015758043218982852",
            "length": 1501.0
        },
        "target": {
            "function": "flow_offload_fill_route",
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6cafdb49a7bbf4a88367db209703eee6941e023",
        "signature_type": "Line",
        "id": "CVE-2024-26834-82b992b6",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "97512485592081900317251580165815826165",
                "26571660179545582358097050288055438518",
                "226468868860955007799613136027394234898",
                "49595600081167164179106160521023658084"
            ]
        },
        "target": {
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d17cf10179a7de6d8f0128168b84ad0b4a1863f",
        "signature_type": "Function",
        "id": "CVE-2024-26834-90f3ce54",
        "digest": {
            "function_hash": "241721253803222964224015758043218982852",
            "length": 1501.0
        },
        "target": {
            "function": "flow_offload_fill_route",
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9256ab9232e35a16af9c30fa4e522e6d1bd3605a",
        "signature_type": "Line",
        "id": "CVE-2024-26834-a8ed489e",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "97512485592081900317251580165815826165",
                "26571660179545582358097050288055438518",
                "226468868860955007799613136027394234898",
                "49595600081167164179106160521023658084"
            ]
        },
        "target": {
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13b57b5cd591d5b22f9bbf047b2922967de411f3",
        "signature_type": "Function",
        "id": "CVE-2024-26834-b784c3d2",
        "digest": {
            "function_hash": "241721253803222964224015758043218982852",
            "length": 1501.0
        },
        "target": {
            "function": "flow_offload_fill_route",
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8762785f459be1cfe6fcf7285c123aad6a3703f0",
        "signature_type": "Function",
        "id": "CVE-2024-26834-de419e6d",
        "digest": {
            "function_hash": "241721253803222964224015758043218982852",
            "length": 1501.0
        },
        "target": {
            "function": "flow_offload_fill_route",
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9256ab9232e35a16af9c30fa4e522e6d1bd3605a",
        "signature_type": "Function",
        "id": "CVE-2024-26834-ec098bbd",
        "digest": {
            "function_hash": "241721253803222964224015758043218982852",
            "length": 1501.0
        },
        "target": {
            "function": "flow_offload_fill_route",
            "file": "net/netfilter/nf_flow_table_core.c"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.19
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.7