CVE-2026-53000
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nat: use kfree_rcu to release ops Florian Westphal says: "Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks. However, in v5.14 I added the ability to dump the active netfilter hooks from userspace. This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath. The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though. But once that changes the nat ops structures have to be deferred too." Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53000
EUVD
EUVD-2026-38868
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.14
linux_kernel linux_kernel 5.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability relates to the Linux kernel's netfilter subsystem, specifically the NAT (Network Address Translation) hooks. The issue involves the improper release of hook operation structures (ops) using the wrong memory freeing method. Historically, this was not a problem because the data path did not use the original nf_hook_ops structures directly. However, starting with Linux kernel version 5.14, the ability to dump active netfilter hooks from userspace was added, which exposed these structures. The NAT hooks are special because they are called indirectly and were previously invisible to the hook dump subsystem. The vulnerability arises because the NAT ops structures need to be released using a deferred method (kfree_rcu) to avoid issues, but this was not done initially. The fix updates the nf_nat_register_fn() function to handle partial exposure of hooks correctly, preventing potential problems in the nfnetlink_hook subsystem.

Impact Analysis

The vulnerability could lead to improper memory management in the Linux kernel's netfilter NAT subsystem. This might cause instability or crashes in the kernel due to premature freeing of memory structures that are still in use. Since the issue involves kernel hooks exposed to userspace, it could potentially be exploited to cause denial of service or other unexpected behavior in systems relying on netfilter for network packet processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53000. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart