CVE-2026-23274
Received Received - Intake
Use-After-Free in Linux netfilter xt_IDLETIMER Causes Kernel Panic

Publication date: 2026-03-20

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23274
EUVD
EUVD-2026-13610
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel to 1 (exc)
linux linux_kernel to 1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the xt_IDLETIMER module. It involves the reuse of ALARM timer labels between different revisions of IDLETIMER rules.

Revision 0 of IDLETIMER rules reuses existing timers by label and always calls mod_timer() on the timer object. However, if the label was initially created by revision 1 using XT_IDLETIMER_ALARM, the timer object uses alarm timer semantics and its timer field is never initialized.

Reusing such an object from revision 0 causes mod_timer() to be called on an uninitialized timer_list, which can trigger debug warnings and potentially cause a kernel panic if panic_on_warn=1 is set.

The fix implemented rejects insertion of revision 0 rules when an existing timer with the same label is of ALARM type, preventing this unsafe reuse.


How can this vulnerability impact me? :

This vulnerability can lead to kernel instability or crashes (kernel panic) when certain timer rules are reused improperly in the Linux kernel's netfilter subsystem.

If the system is configured with panic_on_warn=1, the improper reuse of uninitialized timers can cause the kernel to panic, resulting in a denial of service due to system downtime or reboot.

Such instability can affect the availability and reliability of systems running vulnerable Linux kernel versions, potentially disrupting services or applications relying on the kernel's networking features.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.

Therefore, to mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart