CVE-2026-23272
Received Received - Intake
Use-After-Free in Linux Kernel nf_tables Set Element Handling

Publication date: 2026-03-20

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-02
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23272
EUVD
EUVD-2026-13607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the issue has been resolved.

The fix involves properly handling the nf_tables set element insertion by toggling the set_full flag and safely unwinding the set to its previous state, or alternatively calling synchronize_rcu() in the error path.

Applying the official kernel patch or upgrading to a kernel release that includes this fix is the recommended immediate step.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter nf_tables component. It involves the unconditional increment of the set->nelems counter before inserting an element into a set. If the set is already full, a new element is published and then removed without waiting for the RCU (Read-Copy-Update) grace period to complete, even though an RCU reader might still be accessing it. This can lead to unsafe behavior.

The fix involves adding the element transaction even if the set is full, but toggling a set_full flag to return an error (-ENFILE) so that the abort path can safely revert the set to its previous state. For element updates, the set->nelems counter is decremented to restore correctness. An alternative fix would be to call synchronize_rcu() in the error path, but this could cause performance slowdowns when adding large batches of elements to a full set.


How can this vulnerability impact me? :

This vulnerability can lead to unsafe memory access or data corruption in the Linux kernel's netfilter nf_tables subsystem. Because elements can be published and removed without proper synchronization, RCU readers might access invalid or stale data, potentially causing kernel instability or crashes.

Such instability could affect system reliability, potentially leading to denial of service or unexpected behavior in network filtering operations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart