CVE-2024-39504: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39504 is a vulnerability in the Linux kernel's netfilter component, specifically affecting the nftinner functionality. The issue was discovered and disclosed on July 12, 2024, involving a NULL pointer dereference vulnerability in the netfilter's nftinner component when validating mandatory netlink attributes in payload and meta expressions used embedded from the inner expression (NVD).

The vulnerability stems from insufficient validation of mandatory netlink attributes in payload and meta expressions when used embedded from the inner expression. This affects Linux kernel versions from 6.2 up to (excluding) 6.6.35, versions from 6.7 up to (excluding) 6.9.6, and release candidates 6.10-rc1 through 6.10-rc3. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required with low attack complexity (NVD).

When exploited, this vulnerability can lead to a NULL pointer dereference from userspace, potentially causing system crashes or denial of service conditions. The vulnerability affects the system's availability but does not impact confidentiality or integrity (NVD).

The vulnerability has been fixed in the Linux kernel through patches that implement proper validation of mandatory netlink attributes. The fix includes checking for mandatory netlink attributes in payload and meta expression when used embedded from the inner expression. Updates are available for various Linux distributions, including Ubuntu 24.04 LTS (noble) with version 6.8.0-44.44 (Ubuntu).