CVE-2026-23412
Received Received - Intake
Use-After-Free in Linux netfilter BPF Hooks Causes Kernel Crash

Publication date: 2026-04-02

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23412
EUVD
EUVD-2026-18190
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.4
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 6.4.1 (inc) to 6.6.130 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UaF) issue in the Linux kernel's netfilter subsystem related to BPF (Berkeley Packet Filter) hooks. Specifically, it occurs when a concurrent process is dumping hooks via nfnetlink_hooks, leading to a situation where memory is accessed after it has been freed. The problem was identified by Yiming Qian and involves a bug detected by KASAN (Kernel Address Sanitizer) indicating a slab-use-after-free error during the execution of nfnl_hook_dump_one. The fix defers the release of hook memory until all concurrent readers have finished accessing it.


How can this vulnerability impact me? :

This use-after-free vulnerability can lead to undefined behavior in the Linux kernel, such as crashes or potential memory corruption. Since it involves concurrent access to freed memory, it could be exploited to cause denial of service or potentially escalate privileges by manipulating kernel memory. The exact impact depends on the environment and how the netfilter hooks are used.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart