CVE-2024-35839 (GCVE-0-2024-35839)

Vulnerability from cvelistv5 – Published: 2024-05-17 14:27 – Updated: 2026-05-11 20:12
VLAI
Title
netfilter: bridge: replace physindev with physinif in nf_bridge_info
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: replace physindev with physinif in nf_bridge_info An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b (git)
Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 9325e3188a9cf3f69fc6f32af59844bbc5b90547 (git)
Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 544add1f1cfb78c3dfa3e6edcf4668f6be5e730c (git)
Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 9874808878d9eed407e3977fd11fee49de1e1d86 (git)
Create a notification for this product.
Linux Linux Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 6.1.75 , ≤ 6.1.* (semver)
Unaffected: 6.6.14 , ≤ 6.6.* (semver)
Unaffected: 6.7.2 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35839",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T19:26:55.890240Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:33:44.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.411Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/netfilter_bridge.h",
            "include/linux/skbuff.h",
            "net/bridge/br_netfilter_hooks.c",
            "net/bridge/br_netfilter_ipv6.c",
            "net/ipv4/netfilter/nf_reject_ipv4.c",
            "net/ipv6/netfilter/nf_reject_ipv6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b",
              "status": "affected",
              "version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
              "versionType": "git"
            },
            {
              "lessThan": "9325e3188a9cf3f69fc6f32af59844bbc5b90547",
              "status": "affected",
              "version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
              "versionType": "git"
            },
            {
              "lessThan": "544add1f1cfb78c3dfa3e6edcf4668f6be5e730c",
              "status": "affected",
              "version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
              "versionType": "git"
            },
            {
              "lessThan": "9874808878d9eed407e3977fd11fee49de1e1d86",
              "status": "affected",
              "version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/netfilter_bridge.h",
            "include/linux/skbuff.h",
            "net/bridge/br_netfilter_hooks.c",
            "net/bridge/br_netfilter_ipv6.c",
            "net/ipv4/netfilter/nf_reject_ipv4.c",
            "net/ipv6/netfilter/nf_reject_ipv6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.75",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.14",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.2",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh-\u003earp_queue while waiting for an arp\nreply. Where original skb\u0027s skb-\u003edev can be different to neigh\u0027s\nneigh-\u003edev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh-\u003earp_queue of the bridge.\n\nAs skb-\u003edev can be reset back to nf_bridge-\u003ephysindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn\u0027t cleanup skbs from\ndifferent device\u0027s neigh queue) we can crash on e.g. this stack:\n\narp_process\n  neigh_update\n    skb = __skb_dequeue(\u0026neigh-\u003earp_queue)\n      neigh_resolve_output(..., skb)\n        ...\n          br_nf_dev_xmit\n            br_nf_pre_routing_finish_bridge_slow\n              skb-\u003edev = nf_bridge-\u003ephysindev\n              br_handle_frame_finish\n\nLet\u0027s use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don\u0027t get it and drop skb."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:12:08.170Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547"
        },
        {
          "url": "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86"
        }
      ],
      "title": "netfilter: bridge: replace physindev with physinif in nf_bridge_info",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35839",
    "datePublished": "2024-05-17T14:27:30.524Z",
    "dateReserved": "2024-05-17T13:50:33.104Z",
    "dateUpdated": "2026-05-11T20:12:08.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-35839",
      "date": "2026-05-27",
      "epss": "0.00015",
      "percentile": "0.03371"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\\n\\nAn skb can be added to a neigh-\u003earp_queue while waiting for an arp\\nreply. Where original skb\u0027s skb-\u003edev can be different to neigh\u0027s\\nneigh-\u003edev. For instance in case of bridging dnated skb from one veth to\\nanother, the skb would be added to a neigh-\u003earp_queue of the bridge.\\n\\nAs skb-\u003edev can be reset back to nf_bridge-\u003ephysindev and used, and as\\nthere is no explicit mechanism that prevents this physindev from been\\nfreed under us (for instance neigh_flush_dev doesn\u0027t cleanup skbs from\\ndifferent device\u0027s neigh queue) we can crash on e.g. this stack:\\n\\narp_process\\n  neigh_update\\n    skb = __skb_dequeue(\u0026neigh-\u003earp_queue)\\n      neigh_resolve_output(..., skb)\\n        ...\\n          br_nf_dev_xmit\\n            br_nf_pre_routing_finish_bridge_slow\\n              skb-\u003edev = nf_bridge-\u003ephysindev\\n              br_handle_frame_finish\\n\\nLet\u0027s use plain ifindex instead of net_device link. To peek into the\\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\\nget device and are safe to use it or we don\u0027t get it and drop skb.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: bridge: reemplace physindev con physinif en nf_bridge_info. Se puede agregar un skb a neigh-\u0026gt;arp_queue mientras se espera una respuesta de arp. Donde skb-\u0026gt;dev del skb original puede ser diferente al neigh-\u0026gt;dev de neigh. Por ejemplo, en el caso de unir un skb designado de un veth a otro, el skb se agregar\\u00eda a un vecino-\u0026gt;arp_queue del puente. Como skb-\u0026gt;dev se puede restablecer a nf_bridge-\u0026gt;physindev y usarse, y como no existe un mecanismo expl\\u00edcito que impida que este physindev se libere bajo nuestra responsabilidad (por ejemplo, neigh_flush_dev no limpia skbs de la cola vecina de diferentes dispositivos), podemos crashear, por ejemplo, en esta pila: arp_process neigh_update skb = __skb_dequeue(\u0026amp;neigh-\u0026gt;arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb-\u0026gt;dev = nf_bridge-\u0026gt;physindev br_handle_frame_finish Usemos ifindex simple en lugar de enlace net_device. Para echar un vistazo al net_device original usaremos dev_get_by_index_rcu(). Por lo tanto, o obtenemos el dispositivo y podemos usarlo con seguridad o no lo obtenemos y eliminamos skb.\"}]",
      "id": "CVE-2024-35839",
      "lastModified": "2024-11-21T09:21:01.073",
      "published": "2024-05-17T15:15:21.017",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35839\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-17T15:15:21.017\",\"lastModified\":\"2025-09-24T21:02:31.860\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\\n\\nAn skb can be added to a neigh-\u003earp_queue while waiting for an arp\\nreply. Where original skb\u0027s skb-\u003edev can be different to neigh\u0027s\\nneigh-\u003edev. For instance in case of bridging dnated skb from one veth to\\nanother, the skb would be added to a neigh-\u003earp_queue of the bridge.\\n\\nAs skb-\u003edev can be reset back to nf_bridge-\u003ephysindev and used, and as\\nthere is no explicit mechanism that prevents this physindev from been\\nfreed under us (for instance neigh_flush_dev doesn\u0027t cleanup skbs from\\ndifferent device\u0027s neigh queue) we can crash on e.g. this stack:\\n\\narp_process\\n  neigh_update\\n    skb = __skb_dequeue(\u0026neigh-\u003earp_queue)\\n      neigh_resolve_output(..., skb)\\n        ...\\n          br_nf_dev_xmit\\n            br_nf_pre_routing_finish_bridge_slow\\n              skb-\u003edev = nf_bridge-\u003ephysindev\\n              br_handle_frame_finish\\n\\nLet\u0027s use plain ifindex instead of net_device link. To peek into the\\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\\nget device and are safe to use it or we don\u0027t get it and drop skb.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: bridge: reemplace physindev con physinif en nf_bridge_info. Se puede agregar un skb a neigh-\u0026gt;arp_queue mientras se espera una respuesta de arp. Donde skb-\u0026gt;dev del skb original puede ser diferente al neigh-\u0026gt;dev de neigh. Por ejemplo, en el caso de unir un skb designado de un veth a otro, el skb se agregar\u00eda a un vecino-\u0026gt;arp_queue del puente. Como skb-\u0026gt;dev se puede restablecer a nf_bridge-\u0026gt;physindev y usarse, y como no existe un mecanismo expl\u00edcito que impida que este physindev se libere bajo nuestra responsabilidad (por ejemplo, neigh_flush_dev no limpia skbs de la cola vecina de diferentes dispositivos), podemos crashear, por ejemplo, en esta pila: arp_process neigh_update skb = __skb_dequeue(\u0026amp;neigh-\u0026gt;arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb-\u0026gt;dev = nf_bridge-\u0026gt;physindev br_handle_frame_finish Usemos ifindex simple en lugar de enlace net_device. Para echar un vistazo al net_device original usaremos dev_get_by_index_rcu(). Por lo tanto, o obtenemos el dispositivo y podemos usarlo con seguridad o no lo obtenemos y eliminamos skb.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2\",\"versionEndExcluding\":\"6.1.75\",\"matchCriteriaId\":\"CEA7D262-0A5C-47C0-BA3A-5EC1E08EE6B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.14\",\"matchCriteriaId\":\"5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.2\",\"matchCriteriaId\":\"7229C448-E0C9-488B-8939-36BA5254065E\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:21:48.411Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35839\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-23T19:26:55.890240Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:27:01.015Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"netfilter: bridge: replace physindev with physinif in nf_bridge_info\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"c4e70a87d975d1f561a00abfe2d3cefa2a486c95\", \"lessThan\": \"7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"c4e70a87d975d1f561a00abfe2d3cefa2a486c95\", \"lessThan\": \"9325e3188a9cf3f69fc6f32af59844bbc5b90547\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"c4e70a87d975d1f561a00abfe2d3cefa2a486c95\", \"lessThan\": \"544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"c4e70a87d975d1f561a00abfe2d3cefa2a486c95\", \"lessThan\": \"9874808878d9eed407e3977fd11fee49de1e1d86\", \"versionType\": \"git\"}], \"programFiles\": [\"include/linux/netfilter_bridge.h\", \"include/linux/skbuff.h\", \"net/bridge/br_netfilter_hooks.c\", \"net/bridge/br_netfilter_ipv6.c\", \"net/ipv4/netfilter/nf_reject_ipv4.c\", \"net/ipv6/netfilter/nf_reject_ipv6.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.2\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.1.75\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"include/linux/netfilter_bridge.h\", \"include/linux/skbuff.h\", \"net/bridge/br_netfilter_hooks.c\", \"net/bridge/br_netfilter_ipv6.c\", \"net/ipv4/netfilter/nf_reject_ipv4.c\", \"net/ipv6/netfilter/nf_reject_ipv6.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b\"}, {\"url\": \"https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547\"}, {\"url\": \"https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c\"}, {\"url\": \"https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\\n\\nAn skb can be added to a neigh-\u003earp_queue while waiting for an arp\\nreply. Where original skb\u0027s skb-\u003edev can be different to neigh\u0027s\\nneigh-\u003edev. For instance in case of bridging dnated skb from one veth to\\nanother, the skb would be added to a neigh-\u003earp_queue of the bridge.\\n\\nAs skb-\u003edev can be reset back to nf_bridge-\u003ephysindev and used, and as\\nthere is no explicit mechanism that prevents this physindev from been\\nfreed under us (for instance neigh_flush_dev doesn\u0027t cleanup skbs from\\ndifferent device\u0027s neigh queue) we can crash on e.g. this stack:\\n\\narp_process\\n  neigh_update\\n    skb = __skb_dequeue(\u0026neigh-\u003earp_queue)\\n      neigh_resolve_output(..., skb)\\n        ...\\n          br_nf_dev_xmit\\n            br_nf_pre_routing_finish_bridge_slow\\n              skb-\u003edev = nf_bridge-\u003ephysindev\\n              br_handle_frame_finish\\n\\nLet\u0027s use plain ifindex instead of net_device link. To peek into the\\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\\nget device and are safe to use it or we don\u0027t get it and drop skb.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.75\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.14\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.2\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"4.2\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:12:08.170Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-35839\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:12:08.170Z\", \"dateReserved\": \"2024-05-17T13:50:33.104Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-17T14:27:30.524Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.