CVE-2024-54031 [Medium] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.06%	0.03%	-0.03%
2	2025-11-18	0.03%	0.06%	+0.03%
3	2025-10-16	—	0.03%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-11-21

0.06%

0.03%

-0.03%

2025-11-18

0.03%

0.06%

+0.03%

2025-10-16

—

0.03%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2024-54031

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2024-54031 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2024-54031
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2024-54031
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2024-54031/
`ubuntu`	medium	CVE-2024-54031 medium priority: Ubuntu including 126 source packages (linux, linux-allwinner-5.19, …), 1008 status rows across 8 suites (bionic, focal, jammy, noble, oracular, trusty, upstream, xenial): DNE 690, ignored 146, not-affected 112, released 60.	https://ubuntu.com/security/CVE-2024-54031

Affected software / configurations for CVE-2024-54031

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.4.287, < 5.4.289	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.10.231, < 5.10.233	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.15.174, < 5.15.176	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.1.120, < 6.1.124	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.6.66, < 6.6.70	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.12.5, < 6.12.9	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.13	cpe:2.3:o:linux:linux_kernel:6.13:rc2::::::
linux	linux_kernel	6.13	cpe:2.3:o:linux:linux_kernel:6.13:rc3::::::
linux	linux_kernel	6.13	cpe:2.3:o:linux:linux_kernel:6.13:rc4::::::
linux	linux_kernel	6.13	cpe:2.3:o:linux:linux_kernel:6.13:rc5::::::

References for CVE-2024-54031

URL	Tags
https://git.kernel.org/stable/c/277f00b0c2dca8794cf4837722960bdc4174911f	Patch
https://git.kernel.org/stable/c/352f8eaaabd008f09d1e176194edc261a7304084	Patch
https://git.kernel.org/stable/c/4f49349c1963e507aa37c1ec05178faeb0103959	Patch
https://git.kernel.org/stable/c/542ed8145e6f9392e3d0a86a0e9027d2ffd183e4	Patch
https://git.kernel.org/stable/c/607774a13764676d4b8be9c8b9c66b8cf3469043	Patch
https://git.kernel.org/stable/c/6a14b46052eeb83175a95baf399283860b9d94c4	Patch
https://git.kernel.org/stable/c/d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0	Patch
https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

URL

CVE-2024-54031 | netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

Exploit prediction scoring system (EPSS) score for CVE-2024-54031

Common vulnerability scoring system (CVSS) metrics for CVE-2024-54031

Weakness enumeration for CVE-2024-54031

OS Trackers for CVE-2024-54031

Affected software / configurations for CVE-2024-54031

References for CVE-2024-54031