2451218 – (CVE-2026-23392) CVE-2026-23392 kernel: netfilter: nf_tables: release flowtable after rcu grace period on error

Bug 2451218 (CVE-2026-23392) - CVE-2026-23392 kernel: netfilter: nf_tables: release flowtable after rcu grace period on error

Summary: CVE-2026-23392 kernel: netfilter: nf_tables: release flowtable after rcu grac...

Keywords:
Status:	NEW
Alias:	CVE-2026-23392
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-25 11:05 UTC by OSIDB Bzimport
Modified:	2026-03-25 15:17 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-25 11:05:17 UTC

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: release flowtable after rcu grace period on error

Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.

This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().

There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.

Comment 1 Alexander B 2026-03-25 15:16:14 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-23392-fd9d@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.