GHSA-jr8j-2jhp-m67v: 
vulnerability analysis and mitigation

A vulnerability was discovered in the Linux kernel's net/netfilter/nftablesapi.c component, specifically affecting the nftverdictinit function. The issue, identified as GHSA-jr8j-2jhp-m67v and CVE-2022-39190, was published on September 8, 2022, and affects Talos versions below 1.2.0. This moderate severity vulnerability involves improper resource management when binding to an already bound chain (GitHub Advisory).

The vulnerability exists in the nftverdictinit function within net/netfilter/nftablesapi.c of the Linux kernel. The core issue stems from improper resource management where the program does not release or incorrectly releases a resource before it is made available for re-use. This occurs specifically when attempting to bind to a chain that is already bound (SESIN Report).

When exploited, this vulnerability can lead to a denial of service condition in the affected systems. The manipulation of unknown input in the nftverdictinit function can trigger this denial of service state, potentially affecting system availability (GitHub Advisory).

The vulnerability has been patched in Talos version 1.2.0 and later releases. The fix has been backported to Linux kernel version 5.15.64, which is the upstream kernel long-term version that Talos ships with. Users are recommended to upgrade to Talos version 1.2.0 or later to address this vulnerability (GitHub Advisory).