{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23272", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:52.946Z", "dateUpdated": "2026-03-20T08:08:52.946Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-20T08:08:52.946Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set->nelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set->nelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "35d0ac9070ef619e3bf44324375878a1c540387b", "lessThan": "6826131c7674329335ca25df2550163eb8a1fd0c", "status": "affected", "versionType": "git"}, {"version": "35d0ac9070ef619e3bf44324375878a1c540387b", "lessThan": "ccb8c8f3c1127cf34d18c737309897c68046bf21", "status": "affected", "versionType": "git"}, {"version": "35d0ac9070ef619e3bf44324375878a1c540387b", "lessThan": "def602e498a4f951da95c95b1b8ce8ae68aa733a", "status": "affected", "versionType": "git"}, {"version": "fefdd79403e89b0c673965343b92e2e01e2713a8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "4.10", "status": "affected"}, {"version": "0", "lessThan": "4.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.33"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"}, {"url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"}, {"url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"}], "title": "netfilter: nf_tables: unconditionally bump set->nelems before insertion", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set->nelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set->nelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."}], "id": "CVE-2026-23272", "lastModified": "2026-03-20T09:16:12.700", "metrics": {}, "published": "2026-03-20T09:16:12.700", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:23:34.499085+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the nf_tables set->nelems fix.", "If a patch is unavailable, limit batch sizes of nf_tables insertions to avoid exceeding the set capacity and reduce the likelihood of a race condition.", "Temporarily disable nf_tables if the functionality is not required, to eliminate the attack surface.", "Monitor kernel commit logs and vendor advisories for the patch or additional mitigations."], "summary": {"action": "Apply Patch", "impact": "Kernel Crash / Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all Linux kernel releases that include nf_tables prior to the patch commit referenced by the Git URLs (6826131c, ccb8c8f3, def602e4). No specific version number is supplied, so any kernel that has not applied these fixes is potentially vulnerable.", "description_and_impact": "In the Linux kernel, the nf_tables module increments set->nelems before a new element is successfully inserted, even when the set is already full. The vendor commit notes that a new element can be published and then removed without respecting the RCU grace period, while other threads may still be reading it, thereby creating a dangling reference that could trigger a kernel crash or a denial of service. The underlying weakness is a race condition involving RCU synchronization (CWE-362). This denial of service affects the networking layer of the kernel, potentially disrupting traffic handling for all users of nf_tables.", "risk_and_exploitability": "No CVSS, EPSS, or KEV data is available, indicating that no publicly known exploits exist at this time. Exploitation would require an attacker with the ability to execute nf_tables commands or otherwise add entries to a set, which typically requires root or the NF_NET_ADMIN capability. The severity is considered high because a successful race could cause an immediate kernel panic. However, the lack of public exploits and the requirement for privileged access moderate the risk for most exposed systems."}}}}, "created": "2026-03-20T10:36:46.865781+00:00", "updated": "2026-03-20T10:36:46.865804+00:00", "vendors": [], "weaknesses": ["CWE-362", "CWE-416"]}