{"id":"CVE-2024-50257","summary":"netfilter: Fix use-after-free in get_info()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: Fix use-after-free in get_info()\n\nip6table_nat module unload has refcnt warning for UAF. call trace is:\n\nWARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80\nModules linked in: ip6table_nat(-)\nCPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:module_put+0x6f/0x80\nCall Trace:\n \u003cTASK\u003e\n get_info+0x128/0x180\n do_ip6t_get_ctl+0x6a/0x430\n nf_getsockopt+0x46/0x80\n ipv6_getsockopt+0xb9/0x100\n rawv6_getsockopt+0x42/0x190\n do_sock_getsockopt+0xaa/0x180\n __sys_getsockopt+0x70/0xc0\n __x64_sys_getsockopt+0x20/0x30\n do_syscall_64+0xa2/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nConcurrent execution of module unload and get_info() trigered the warning.\nThe root cause is as follows:\n\ncpu0\t\t\t\t      cpu1\nmodule_exit\n//mod-\u003estate = MODULE_STATE_GOING\n  ip6table_nat_exit\n    xt_unregister_template\n\tkfree(t)\n\t//removed from templ_list\n\t\t\t\t      getinfo()\n\t\t\t\t\t  t = xt_find_table_lock\n\t\t\t\t\t\tlist_for_each_entry(tmpl, &xt_templates[af]...)\n\t\t\t\t\t\t\tif (strcmp(tmpl-\u003ename, name))\n\t\t\t\t\t\t\t\tcontinue;  //table not found\n\t\t\t\t\t\t\ttry_module_get\n\t\t\t\t\t\tlist_for_each_entry(t, &xt_net-\u003etables[af]...)\n\t\t\t\t\t\t\treturn t;  //not get refcnt\n\t\t\t\t\t  module_put(t-\u003eme) //uaf\n    unregister_pernet_subsys\n    //remove table from xt_net list\n\nWhile xt_table module was going away and has been removed from\nxt_templates list, we couldnt get refcnt of xt_table-\u003eme. Check\nmodule in xt_net-\u003etables list re-traversal to fix it.","modified":"2026-04-16T04:32:16.407678311Z","published":"2024-11-09T10:15:10.373Z","related":["SUSE-SU-2024:4314-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:02069-1","SUSE-SU-2025:02070-1","SUSE-SU-2025:02071-1","SUSE-SU-2025:02076-1","SUSE-SU-2025:02077-1","SUSE-SU-2025:02116-1","SUSE-SU-2025:02117-1","SUSE-SU-2025:02126-1","SUSE-SU-2025:02127-1","SUSE-SU-2025:02162-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","SUSE-SU-2025:20431-1","SUSE-SU-2025:20435-1","SUSE-SU-2025:20436-1","SUSE-SU-2025:20437-1","SUSE-SU-2025:20448-1","SUSE-SU-2025:20450-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50257.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6a1f088f9807f5166f58902d26246d0b88da03a8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba22ea01348384df19cc1fabc7964be6e7189749"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bab3bb35c03b263c486833d50d50c081d9e9832b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cb7c388b5967946f097afdb759b7c860305f2d96"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f48d258f0ac540f00fa617dac496c4c18b5dc2fa"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50257.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50257"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fdacd57c79b79a03c7ca88f706ad9fb7b46831c1"},{"fixed":"ba22ea01348384df19cc1fabc7964be6e7189749"},{"fixed":"cb7c388b5967946f097afdb759b7c860305f2d96"},{"fixed":"6a1f088f9807f5166f58902d26246d0b88da03a8"},{"fixed":"bab3bb35c03b263c486833d50d50c081d9e9832b"},{"fixed":"f48d258f0ac540f00fa617dac496c4c18b5dc2fa"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50257.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}