CVE-2026-23351
Use-After-Free in Linux netfilter nft_set Causes DoS
Publication date: 2026-03-25
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.6 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 5.6.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free issue in the Linux kernel's netfilter component, specifically in the nft_set_pipapo set type.
When there are many expired elements, the garbage collection (GC) process at commit time can run for a very long time in a non-preemptible context, which can cause soft lockup warnings and RCU stall reports, leading to a local denial of service.
The problem arises because expired elements remain accessible to both the packet processing path and userspace dumpers through a live copy of the data structure, even after they should have been freed.
The fix involves splitting the garbage collection into two phases: unlink and reclaim, ensuring that elements are not queued for freeing until pointers have been properly swapped to prevent access to freed elements.
How can this vulnerability impact me? :
This vulnerability can cause a local denial of service on affected Linux systems.
Specifically, under conditions with many expired elements, the system may experience soft lockup warnings and RCU stall reports due to the garbage collection process running too long in a non-preemptible context.
This can degrade system performance or cause the system to become unresponsive temporarily.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can manifest as soft lockup warnings and RCU stall reports on the affected system, indicating a local denial of service condition due to the long-running commit-time garbage collection in a non-preemptible context.
To detect this issue, monitor your system logs for messages related to soft lockups and RCU stalls. You can use commands such as:
- dmesg | grep -i 'soft lockup'
- dmesg | grep -i 'rcu stall'
- journalctl -k | grep -i 'soft lockup'
- journalctl -k | grep -i 'rcu stall'
These commands help identify kernel messages indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by splitting the garbage collection (GC) process into unlink and reclaim phases to avoid long non-preemptible GC runs.
Immediate mitigation steps include updating your Linux kernel to a version that contains the fix for this issue.
Until an update is applied, monitoring for soft lockup and RCU stall warnings can help detect active exploitation or impact.