CVE-2026-23278
Undergoing Analysis Undergoing Analysis - In Progress
Use-After-Free Vulnerability in Linux Kernel nf_tables Component

Publication date: 2026-03-20

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23278
EUVD
EUVD-2026-13614
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.4.262 (inc) to 5.5 (exc)
linux linux_kernel From 5.10.188 (inc) to 5.11 (exc)
linux linux_kernel From 4.19.316 (inc) to 4.20 (exc)
linux linux_kernel From 6.3.10 (inc) to 6.4 (exc)
linux linux_kernel From 5.15.121 (inc) to 5.16 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 6.1.36 (inc) to 6.2 (exc)
linux linux_kernel From 6.4.1 (inc) to 6.12.78 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter nf_tables component. During transaction processing, there can be more than one catchall element: one live catchall element and one pending element from a new batch. If the map holding these catchall elements is removed, the system must toggle all catchall elements, not just the first viable one. Failing to do so can cause warnings and potential errors during element release, as the system does not properly handle all pending catchall elements.

Impact Analysis

This vulnerability can lead to warnings and errors in the nf_tables subsystem of the Linux kernel, potentially causing instability or unexpected behavior during network packet filtering operations. If the catchall elements are not properly toggled, it may result in resource management issues or kernel warnings that could affect system reliability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring system logs for specific warning messages related to nf_tables. The presence of warnings such as "WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables]" indicates the issue.

You can use commands like 'dmesg' or 'journalctl' to search for these warning messages in the kernel logs.

  • dmesg | grep nf_tables
  • journalctl -k | grep nf_tables
Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by ensuring that all pending catchall elements are properly handled during transaction processing.

Immediate mitigation steps include updating your Linux kernel to a version that contains the fix for this vulnerability.

Until the update is applied, monitor system logs for the warning messages to detect potential issues and consider limiting the use of nf_tables features that may trigger this condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart