CVE-2026-23274
Undergoing Analysis Undergoing Analysis - In Progress
Use-After-Free in Linux netfilter xt_IDLETIMER Causes Kernel Panic

Publication date: 2026-03-20

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23274
EUVD
EUVD-2026-13610
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 5.7 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the xt_IDLETIMER module. It involves the reuse of ALARM timer labels between different revisions of IDLETIMER rules.

Revision 0 of IDLETIMER rules reuses existing timers by label and always calls mod_timer() on the timer object. However, if the label was initially created by revision 1 using XT_IDLETIMER_ALARM, the timer object uses alarm timer semantics and its timer field is never initialized.

Reusing such an object from revision 0 causes mod_timer() to be called on an uninitialized timer_list, which can trigger debug warnings and potentially cause a kernel panic if panic_on_warn=1 is set.

The fix implemented rejects insertion of revision 0 rules when an existing timer with the same label is of ALARM type, preventing this unsafe reuse.

Impact Analysis

This vulnerability can lead to kernel instability or crashes (kernel panic) when certain timer rules are reused improperly in the Linux kernel's netfilter subsystem.

If the system is configured with panic_on_warn=1, the improper reuse of uninitialized timers can cause the kernel to panic, resulting in a denial of service due to system downtime or reboot.

Such instability can affect the availability and reliability of systems running vulnerable Linux kernel versions, potentially disrupting services or applications relying on the kernel's networking features.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.

Therefore, to mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart