CVE-2026-23392
Use-After-Free in Linux Kernel nf_tables Flowtable Handling
Publication date: 2026-03-25
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 4.16 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.20 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.10 (exc) |
| linux | linux_kernel | From 4.16.1 (inc) to 6.1.167 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is related to the Linux kernel's netfilter nf_tables subsystem and involves a use-after-free error in the flowtable handling during error paths.
Immediate mitigation steps include ensuring that your Linux kernel is updated to a version where this issue is resolved, as the fix involves calling synchronize_rcu() after unregistering hooks to prevent use-after-free conditions.
Since the error path is rare and related to reaching the maximum number of hooks or hardware offload setup failures, avoiding configurations that push these limits may reduce exposure until a patch is applied.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter nf_tables component. It involves the improper release of a flowtable after an RCU (Read-Copy-Update) grace period on an error path. Specifically, the code did not call synchronize_rcu() after unregistering hooks when an error occurs, which could leave a flowtable still referenced by hooks. This exposes the flowtable to the packet processing path and the nfnetlink_hook control plane, potentially causing use-after-free issues.
The error path is rare and typically happens when the maximum number of hooks is reached or when hardware offload setup fails. The vulnerability was uncovered by KASAN as a use-after-free bug triggered when dumping hooks via nfnetlink_hook.
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free conditions in the Linux kernel's networking subsystem. Such conditions may cause system instability, crashes, or potentially allow attackers to execute arbitrary code or cause denial of service by exploiting the exposed flowtable references.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to a rare error path in the Linux kernel's netfilter nf_tables subsystem, specifically involving flowtable release after an RCU grace period on error.
Detection would likely involve monitoring for use-after-free errors reported by Kernel Address Sanitizer (KASAN) related to nfnetlink_hook paths when dumping hooks.
Since no specific detection commands or network signatures are provided, a practical approach is to check your kernel logs for KASAN reports or errors related to nfnetlink_hook or flowtable usage.
- Use dmesg or journalctl to look for kernel error messages: `dmesg | grep -i kasan` or `journalctl -k | grep -i nfnetlink_hook`
- Check for errors related to flowtable or hook registration failures in kernel logs.
No specific network commands or signatures are provided to detect exploitation attempts on the network or system.