CVE-2026-23385
Received Received - Intake
Memory Allocation Failure in Linux Kernel nf_tables Causes WARN Crash

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL which results in a WARN splat: iter.err WARNING: net/netfilter/nf_tables_api.c:845 at nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845, CPU#0: syz.0.17/5992 Modules linked in: CPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845 Code: 8b 05 86 5a 4e 09 48 3b 84 24 a0 00 00 00 75 62 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 63 6d fa f7 90 <0f> 0b 90 43 +80 7c 35 00 00 0f 85 23 fe ff ff e9 26 fe ff ff 89 d9 RSP: 0018:ffffc900045af780 EFLAGS: 00010293 RAX: ffffffff89ca45bd RBX: 00000000fffffff4 RCX: ffff888028111e40 RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000 RBP: ffffc900045af870 R08: 0000000000400dc0 R09: 00000000ffffffff R10: dffffc0000000000 R11: fffffbfff1d141db R12: ffffc900045af7e0 R13: 1ffff920008b5f24 R14: dffffc0000000000 R15: ffffc900045af920 FS: 000055557a6a5500(0000) GS:ffff888125496000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb5ea271fc0 CR3: 000000003269e000 CR4: 00000000003526f0 Call Trace: <TASK> __nft_release_table+0xceb/0x11f0 net/netfilter/nf_tables_api.c:12115 nft_rcv_nl_event+0xc25/0xdb0 net/netfilter/nf_tables_api.c:12187 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380 netlink_release+0x123b/0x1ad0 net/netlink/af_netlink.c:761 __sock_release net/socket.c:662 [inline] sock_close+0xc3/0x240 net/socket.c:1455 Restrict set clone to the flush set command in the preparation phase. Add NFT_ITER_UPDATE_CLONE and use it for this purpose, update the rbtree and pipapo backends to only clone the set when this iteration type is used. As for the existing NFT_ITER_UPDATE type, update the pipapo backend to use the existing set clone if available, otherwise use the existing set representation. After this update, there is no need to clone a set that is being deleted, this includes bound anonymous set. An alternative approach to NFT_ITER_UPDATE_CLONE is to add a .clone interface and call it from the flush set path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23385
EUVD
EUVD-2026-15382
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.10
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.10.1 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter nf_tables component. It involves improper handling of set cloning during the flush operation. Specifically, a memory allocation failure with GFP_KERNEL leads to a kernel warning (WARN splat) in the nft_map_deactivate function. The issue arises because the set cloning was not properly restricted to the flush set command in the preparation phase, causing potential instability or crashes.

The fix restricts set cloning to only occur during the flush set command by introducing a new iteration type NFT_ITER_UPDATE_CLONE. This ensures that sets are cloned only when necessary, preventing cloning of sets that are being deleted and avoiding the problematic memory allocation failure.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to emit warnings and potentially crash or become unstable due to failed memory allocations during netfilter operations. Such instability can lead to denial of service conditions on affected systems, impacting availability and reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a WARN splat in the Linux kernel logs related to netfilter nf_tables, specifically at nft_map_deactivate in nf_tables_api.c. Detection involves monitoring kernel logs for warning messages indicating memory allocation failures or WARN splats in the nf_tables subsystem.

You can check your system logs for such warnings using commands like:

  • dmesg | grep -i 'nf_tables_api.c:845'
  • journalctl -k | grep -i 'nf_tables_api.c:845'
  • grep -i 'WARNING: net/netfilter/nf_tables_api.c' /var/log/kern.log

These commands help identify the specific warning related to the vulnerability in kernel logs.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by restricting the cloning of sets to the flush set command in the preparation phase and updating the nf_tables backends to handle cloning appropriately.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid using or triggering nf_tables operations that involve set cloning until the patch is applied.
  • Monitor kernel logs for related warnings to detect any exploitation attempts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart