{"id":"CVE-2024-50038","summary":"netfilter: xtables: avoid NFPROTO_UNSPEC where needed","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xtables: avoid NFPROTO_UNSPEC where needed\n\nsyzbot managed to call xt_cluster match via ebtables:\n\n WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780\n [..]\n ebt_do_table+0x174b/0x2a40\n\nModule registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet\nprocessing.  As this is only useful to restrict locally terminating\nTCP/UDP traffic, register this for ipv4 and ipv6 family only.\n\nPablo points out that this is a general issue, direct users of the\nset/getsockopt interface can call into targets/matches that were only\nintended for use with ip(6)tables.\n\nCheck all UNSPEC matches and targets for similar issues:\n\n- matches and targets are fine except if they assume skb_network_header()\n  is valid -- this is only true when called from inet layer: ip(6) stack\n  pulls the ip/ipv6 header into linear data area.\n- targets that return XT_CONTINUE or other xtables verdicts must be\n  restricted too, they are incompatbile with the ebtables traverser, e.g.\n  EBT_CONTINUE is a completely different value than XT_CONTINUE.\n\nMost matches/targets are changed to register for NFPROTO_IPV4/IPV6, as\nthey are provided for use by ip(6)tables.\n\nThe MARK target is also used by arptables, so register for NFPROTO_ARP too.\n\nWhile at it, bail out if connbytes fails to enable the corresponding\nconntrack family.\n\nThis change passes the selftests in iptables.git.","modified":"2026-04-02T12:21:14.466500Z","published":"2024-10-21T19:39:38.451Z","related":["MGASA-2024-0344","MGASA-2024-0345","SUSE-SU-2025:01600-1","SUSE-SU-2025:01614-1","SUSE-SU-2025:01620-1","SUSE-SU-2025:01640-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20206-1","SUSE-SU-2025:20270-1","SUSE-SU-2025:20283-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50038.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0bfcb7b71e735560077a42847f69597ec7dcc326"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4cdc55ec6222bb195995cc58f7cb46e4d8907056"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85ff9a0f793ca52c527e75cd40a69c948627ebde"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8f482bb7e27b37f1f734bb9a8eeb28b23d59d189"},{"type":"WEB","url":"https://git.kernel.org/stable/c/997f67d813ce0cf5eb3cdb8f124da68141e91b6c"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50038.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50038"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0269ea4937343536ec7e85649932bc8c9686ea78"},{"fixed":"85ff9a0f793ca52c527e75cd40a69c948627ebde"},{"fixed":"8f482bb7e27b37f1f734bb9a8eeb28b23d59d189"},{"fixed":"997f67d813ce0cf5eb3cdb8f124da68141e91b6c"},{"fixed":"4cdc55ec6222bb195995cc58f7cb46e4d8907056"},{"fixed":"0bfcb7b71e735560077a42847f69597ec7dcc326"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50038.json"}}],"schema_version":"1.7.5"}