Impact
The vulnerability was caused by a race condition in the Linux kernel's netfilter SYNPROXY hook registration path, where concurrent addition of iptables targets or nftables expressions could corrupt reference counts. The flaw, a classic race condition (CWE-362) and a reference count synchronization issue (CWE-820), risks undefined behaviour that can manifest as a kernel panic or a denial‑of‑service if an attacker can trigger concurrent hook registration. The upstream fix introduces a mutex to serialize control blocks, preventing the corrupted state and restoring stability.
Affected Systems
All Linux kernel releases that lack the mutex patch are vulnerable. This includes every distribution kernel version up to and including the most recent release before the commit that adds the synchronization. The fix is applied at the kernel level, so any system running a non‑patched kernel where SYNPROXY hooks are used is impacted.
Risk and Exploitability
The CVSS score is 5.5 and the EPSS score is < 1%; the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation involves a race condition (CWE-362) and kernel reference counting (CWE-820), it likely requires privileged local code execution or a scenario where kernel memory corruption can be triggered remotely through malformed packet handling. The risk is therefore moderate to high for environments that enable concurrent SYNPROXY configuration; the primary exploitation vector is concurrent hook registration by a privileged user or attacker who can manipulate firewall rule sets.
OpenCVE Enrichment
Debian DLA