CVE-2026-23272
Undergoing Analysis Undergoing Analysis - In Progress
Use-After-Free in Linux Kernel nf_tables Set Element Handling

Publication date: 2026-03-20

Last updated on: 2026-05-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-05-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23272
EUVD
EUVD-2026-13607
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.10
linux linux_kernel 4.10
linux linux_kernel 4.10
linux linux_kernel 4.10
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 4.10.1 (inc) to 6.18.17 (exc)
linux linux_kernel From 4.9.33 (inc) to 4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue has been resolved.

The fix involves properly handling the nf_tables set element insertion by toggling the set_full flag and safely unwinding the set to its previous state, or alternatively calling synchronize_rcu() in the error path.

Applying the official kernel patch or upgrading to a kernel release that includes this fix is the recommended immediate step.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter nf_tables component. It involves the unconditional increment of the set->nelems counter before inserting an element into a set. If the set is already full, a new element is published and then removed without waiting for the RCU (Read-Copy-Update) grace period to complete, even though an RCU reader might still be accessing it. This can lead to unsafe behavior.

The fix involves adding the element transaction even if the set is full, but toggling a set_full flag to return an error (-ENFILE) so that the abort path can safely revert the set to its previous state. For element updates, the set->nelems counter is decremented to restore correctness. An alternative fix would be to call synchronize_rcu() in the error path, but this could cause performance slowdowns when adding large batches of elements to a full set.

Detection Guidance

I don't know

Impact Analysis

This vulnerability can lead to unsafe memory access or data corruption in the Linux kernel's netfilter nf_tables subsystem. Because elements can be published and removed without proper synchronization, RCU readers might access invalid or stale data, potentially causing kernel instability or crashes.

Such instability could affect system reliability, potentially leading to denial of service or unexpected behavior in network filtering operations.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart