Amazon Linux AMI: CVE-2023-52628: Security patch for kernel (ALAS-2024-1937)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: exthdr: fix 4-byte stack OOB write

If priv->len is a multiple of 4, then dst[len / 4] can write past

the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register

in case ->len is NOT a multiple of the register size, so make it

conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when

tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,

ZDI-CAN-21951, ZDI-CAN-21961).