CVE-2024-57947: 
Linux Kernel vulnerability analysis and mitigation

A buffer overflow vulnerability (CVE-2024-57947) was discovered in the Linux kernel's netfilter component, specifically in the nfsetpipapo functionality. The vulnerability was disclosed on January 23, 2025, and affects the initial map fill operation where the buffer initialization was not properly restricted to the size of the first field (Red Hat, NVD).

The vulnerability occurs when the initial buffer is initialized to all-ones but fails to restrict it to the size of the first field, instead using the total field size. During the map search step, after each round, the result and fill map are swapped. In cases where f->bsize of the first element is smaller than m->bsize_max, one-bits are leaked into future rounds result map, causing pipapo to find incorrect matching results for sets where the first field size is not the largest (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 score of 7.1, indicating HIGH severity (Red Hat).

The vulnerability can result in incorrect matching results for sets where the first field size is not the largest, potentially leading to system availability issues. This affects the netfilter subsystem's ability to properly process network packets and could impact network filtering operations (Red Hat).

A patch has been developed to fix the vulnerability by properly initializing the buffer and explicitly zeroing out the remainder. The fix includes a new test case in the nftconcatrange.sh selftest script to verify the correction (Kernel Patch). Red Hat notes that for some affected systems, mitigation options either are not available or don't meet their Product Security criteria for ease of use, deployment, and stability (Red Hat).