CVE-2026-53349
Received Received - Intake

Use-After-Free in Linux Kernel Netfilter Connection Tracking

Vulnerability report for CVE-2026-53349, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: destroy stale expectfn expectations on unregister NAT helpers such as nf_nat_h323 store a raw pointer to module text in exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister() only unlinks the callback descriptor and never walks the expectation table, so an expectation pending at module removal survives with a dangling exp->expectfn into freed module text. When the expected connection arrives, init_conntrack() invokes exp->expectfn(), now a stale pointer into the unloaded module. Reproduced on a KASAN build by loading the H.323 helpers, creating a Q.931 expectation, unloading nf_nat_h323, then connecting to the expected port: Oops: int3: 0000 [#1] SMP KASAN NOPTI RIP: 0010:0xffffffffa06102d1 init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862) nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049) ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223) nf_hook_slow (net/netfilter/core.c:619) __ip_local_out (net/ipv4/ip_output.c:120) __tcp_transmit_skb (net/ipv4/tcp_output.c:1715) tcp_connect (net/ipv4/tcp_output.c:4374) tcp_v4_connect (net/ipv4/tcp_ipv4.c:345) __sys_connect (net/socket.c:2167) Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323] Reaching the dangling state requires CAP_SYS_MODULE in the initial user namespace to remove a NAT helper that still has live expectations, so this is a robustness fix; leaving an expectation pointing at freed text is wrong regardless. Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and drops every expectation whose ->expectfn matches the descriptor being torn down. Call it from each NAT helper's exit path after the existing RCU grace period, so no expectation outlives the code it points at and no extra synchronize_rcu() is introduced. With the fix, the same reproducer runs to completion without the Oops.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can cause the Linux kernel to crash (kernel Oops) when a connection arrives that triggers a stale function pointer call in the connection tracking subsystem. This can lead to system instability or denial of service.

Exploitation requires the ability to unload kernel modules while expectations still exist, which typically requires elevated privileges (CAP_SYS_MODULE). Therefore, the impact is mainly on system robustness and stability rather than direct remote exploitation.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the connection tracking (nf_conntrack) module. It involves NAT helpers like nf_nat_h323 that store raw pointers to module code in expectation structures (exp->expectfn). When a NAT helper module is unloaded, the unregister function only removes the callback descriptor but does not clear expectations that still reference the now-freed module code. This leaves dangling pointers in the expectation table.

When a new connection matching such an expectation arrives, the kernel tries to call the stale function pointer, which points to unloaded module memory. This can cause a kernel crash (Oops) due to accessing invalid memory. The vulnerability requires the ability to unload kernel modules (CAP_SYS_MODULE capability) and is considered a robustness issue.

The fix involves adding a function that walks the expectation table and removes any expectations referencing the module being unloaded, ensuring no stale pointers remain.

Detection Guidance

This vulnerability involves stale pointers in the Linux kernel's netfilter connection tracking system, specifically related to NAT helpers like nf_nat_h323. Detection would involve monitoring for kernel oops or crashes related to nf_conntrack, especially messages indicating use of freed module text or KASAN reports.

Since the vulnerability manifests as a kernel oops when an expected connection arrives after a NAT helper module is unloaded, you can check your system logs (e.g., dmesg or /var/log/kern.log) for messages similar to the following:

  • Oops: int3: 0000 [#1] SMP KASAN NOPTI
  • init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
  • Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]

Commands to help detect this might include:

  • dmesg | grep -i nf_conntrack
  • journalctl -k | grep -i nf_conntrack
  • lsmod | grep nf_nat_h323
  • Check for loaded NAT helper modules and their usage to identify if nf_nat_h323 or related helpers are active.
Mitigation Strategies

The vulnerability is a robustness issue fixed by ensuring that stale expectations pointing to unloaded module text are destroyed properly.

Immediate mitigation steps include:

  • Avoid unloading NAT helper modules such as nf_nat_h323 while there are live expectations present.
  • Apply the kernel patch or update to a Linux kernel version that includes the fix where nf_ct_helper_expectfn_destroy() is called during module unload to clean up expectations.
  • Restrict CAP_SYS_MODULE capability to trusted users only, as unloading modules with live expectations requires this capability.
  • Monitor system logs for related kernel oops and avoid actions that unload NAT helpers prematurely.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart