| The vulnerability affects the netfilter subsystem in the Linux kernel, specifically the nftables component. The issue arises when using connlimit in set elements, which causes `memcpy()` to break and leads to a crash in the connlimit garbage collector. |
| |
| The problem occurs because the connlimit expression list is not properly initialized using `nft_expr_clone()`, resulting in a corrupted list head copy that crashes the garbage collector. This is evident from the provided kernel crash dump, which shows a RIP error in the `find_or_evict()` function of the `nf_conncount` module. |
| |
| The vulnerability was introduced in Linux kernel version 5.7 with commit 409444522976 and has been fixed in versions 5.10.64, 5.11.16, and 5.12 with commits e51ff3ffc316, 47d8de3c2265, and 4d8f9065830e, respectively. |
| |
| The affected file is `net/netfilter/nf_tables_api.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to fix this issue. If updating is not possible, the individual changes can be cherry-picked from the provided commit links. |
| |
