CVE-2026-23391
Received Received - Intake
Use-After-Free in Linux netfilter xt_CT Module on Template Removal

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23391
EUVD
EUVD-2026-15392
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 3.4.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel 3.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the xt_CT module. It involves the handling of templates, which are objects that can be removed while packets are still queued in the nfqueue. When a template is removed, any pending packets that rely on that template remain enqueued, which can cause issues. The vulnerability is addressed by ensuring that these pending enqueued packets are dropped when the template rule is removed.

Templates in this context refer to objects related to connection tracking helpers or timeout policies that might be removed during module removal or timeout events. The fix involves flushing these enqueued packets to prevent potential problems caused by stale or invalid templates.

Impact Analysis

If this vulnerability is exploited or triggered, it could lead to issues in packet processing within the Linux kernel's netfilter system. Specifically, packets that depend on removed templates might remain enqueued indefinitely or be mishandled, potentially causing network disruptions or unexpected behavior in firewall or connection tracking operations.

This could affect system stability or network reliability, especially in environments relying on dynamic module loading or timeout policies that remove templates.

Mitigation Strategies

The vulnerability has been resolved by ensuring that pending enqueued packets on template removal are dropped. Immediate mitigation involves updating the Linux kernel to a version where this fix is applied.

Specifically, the fix flushes enqueued packets if the template rule gets removed, preventing issues related to module removal or timeout policies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart