A race condition in the Linux kernel's netfilter subsystem could allow concurrent processes to access invalid memory, risking system stability.

The functions nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks utilize an incorrect list deletion method, failing to safely handle concurrent dumpers. This vulnerability allows for a race condition when managing netlink hooks, potentially leading to memory corruption.

The CVSS score of 7.8 underscores the severity of this vulnerability, which affects the kernel's core networking and filtering capabilities. Exploitation could lead to system instability, denial of service, or potentially lead to arbitrary code execution if an attacker can reliably trigger the race condition.

Immediate Action: Upgrade to the latest kernel release that includes the corrected list_del_rcu implementation for netfilter hooks.

Proactive Monitoring: Monitor for kernel-level crashes or segmentation faults specifically originating from netfilter or netlink-related operations.

Compensating Controls: Restrict access to nf_tables configuration (e.g., CAP_NET_ADMIN) to trusted processes to minimize the attack surface.

Public Exploit Available: false

This vulnerability highlights the complexity of kernel synchronization. Security teams must ensure that systems utilizing advanced netfilter configurations are updated promptly, as the potential for local exploitation of race conditions in these subsystems is significant.