Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the nf_tables component. The issue involves the handling of the NF_QUEUE verdict, which is used to pass packets from kernel space to userspace for further processing. Normally, the userspace nftables tools use the nft_queue mechanism to deliver the NF_QUEUE verdict, but they never emit this verdict immediately. However, the arp family does not support queueing, yet it can still reach an immediate NF_QUEUE verdict, which is unintended behavior. This vulnerability allows such immediate NF_QUEUE verdicts to be rejected globally to fix the problem.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability could potentially allow unexpected or unintended packet handling behavior in the Linux kernel's networking stack. Since immediate NF_QUEUE verdicts are not expected or supported by userspace tools, their presence might lead to inconsistent or incorrect packet processing, which could affect network security or stability. By rejecting these immediate NF_QUEUE verdicts globally, the issue is mitigated.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is addressed by globally rejecting immediate NF_QUEUE verdicts in the Linux kernel's netfilter nf_tables subsystem.

Since nft_queue is always used from userspace nftables to deliver the NF_QUEUE verdict and immediate NF_QUEUE verdicts are never used by userspace nft tools, ensuring your system is updated with the patch that rejects immediate NF_QUEUE verdicts will mitigate this issue.

Useful 0 Not Useful 0