CVE-2024-49952: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49952 affects the Linux kernel's netfilter subsystem, specifically the nftables component. The vulnerability was discovered by syzbot and involves unsafe writing to the per-CPU variable nfskbduplicated in the nfdupipv4() and nfdup_ipv6() functions. The issue affects Linux kernel versions from 4.3 up to versions before 6.11.3 (NVD).

The vulnerability stems from improper handling of the per-CPU variable nfskbduplicated in the netfilter subsystem. The bug occurs when nfdupipv4() or nfdupipv6() writes to this variable without proper synchronization. While disabling preemption was attempted as a fix, it proved insufficient - soft interrupts also needed to be disabled to prevent corruption. The issue has a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to memory corruption in the kernel's network filtering subsystem. If exploited, it could cause a denial of service condition through system crashes. The impact is limited to local attacks and requires CAPNETADMIN capability or root privileges to exploit (Red Hat).

The vulnerability has been fixed in the Linux kernel through patches that properly handle the per-CPU variable access by implementing localbhdisable() and localbhenable() around the critical sections. The fix has been backported to multiple stable kernel versions. Users should update their kernel to a patched version (Kernel Patch).