{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23391", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.009Z", "datePublished": "2026-03-25T10:33:15.677Z", "dateUpdated": "2026-04-18T08:58:26.823Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-18T08:58:26.823Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_CT.c"], "versions": [{"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "55445134d42b84cb0a272e42c98d233ca65eca83", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "cc57506dd66555899560b9c0f24e813f034e12ec", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "d2d0bae0c9a2a17b6990a2966f5cdce0813d6256", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "63b8097cea1923fe82cd598068d0796da8c015ec", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "19a230dec6bb8928e3f96387f9085cf2c79bcef9", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "cb549925875fa06dd155e49db4ac2c5044c30f9c", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "777d02efe3d630cca4c1b63962cec17c57711325", "status": "affected", "versionType": "git"}, {"version": "24de58f465165298aaa8f286b2592f0163706cfe", "lessThan": "f62a218a946b19bb59abdd5361da85fa4606b96b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_CT.c"], "versions": [{"version": "3.4", "status": "affected"}, {"version": "0", "lessThan": "3.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/55445134d42b84cb0a272e42c98d233ca65eca83"}, {"url": "https://git.kernel.org/stable/c/cc57506dd66555899560b9c0f24e813f034e12ec"}, {"url": "https://git.kernel.org/stable/c/d2d0bae0c9a2a17b6990a2966f5cdce0813d6256"}, {"url": "https://git.kernel.org/stable/c/63b8097cea1923fe82cd598068d0796da8c015ec"}, {"url": "https://git.kernel.org/stable/c/19a230dec6bb8928e3f96387f9085cf2c79bcef9"}, {"url": "https://git.kernel.org/stable/c/cb549925875fa06dd155e49db4ac2c5044c30f9c"}, {"url": "https://git.kernel.org/stable/c/777d02efe3d630cca4c1b63962cec17c57711325"}, {"url": "https://git.kernel.org/stable/c/f62a218a946b19bb59abdd5361da85fa4606b96b"}], "title": "netfilter: xt_CT: drop pending enqueued packets on template removal", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4333E813-9B62-47A7-82DE-20283B6F5D15", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.4:-:*:*:*:*:*:*", "matchCriteriaId": "4CFBA863-6E88-4A63-BFE7-EC13F5475E42", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: xt_CT: descartar paquetes pendientes encolados al eliminar la plantilla\n\nLas plantillas se refieren a objetos que pueden desaparecer mientras los paquetes est\u00e1n en nfqueue, se refieren a:\n\n- helper, esto puede ser un problema al eliminar el m\u00f3dulo.\n- pol\u00edtica de tiempo de espera, nfnetlink_cttimeout podr\u00eda eliminarla.\n\nEl uso de plantillas con filtro de cach\u00e9 de zona y eventos es seguro, ya que esto solo copia valores.\n\nVaciar estos paquetes encolados en caso de que la regla de plantilla sea eliminada."}], "id": "CVE-2026-23391", "lastModified": "2026-04-24T18:38:57.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:39.707", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/19a230dec6bb8928e3f96387f9085cf2c79bcef9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/55445134d42b84cb0a272e42c98d233ca65eca83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/63b8097cea1923fe82cd598068d0796da8c015ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/777d02efe3d630cca4c1b63962cec17c57711325"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb549925875fa06dd155e49db4ac2c5044c30f9c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cc57506dd66555899560b9c0f24e813f034e12ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d2d0bae0c9a2a17b6990a2966f5cdce0813d6256"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f62a218a946b19bb59abdd5361da85fa4606b96b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: netfilter: xt_CT: drop pending enqueued packets on template removal", "id": "2451269", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451269"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel\u2019s netfilter subsystem. When a netfilter template rule is removed, packets that are still queued and refer to the removed template are not properly dropped. This improper handling of packets could lead to resource exhaustion or unexpected system behavior, potentially resulting in a denial of service."], "name": "CVE-2026-23391", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23391\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23391\nhttps://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-23391-bb43@gregkh/T"], "statement": "This flaw affects systems using nfqueue with connection tracking templates. When templates referencing helpers or timeout policies are removed while packets are queued, those packets can reference freed objects. The issue occurs during module removal or timeout policy deletion while traffic is being processed via nfqueue.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24de58f465165298aaa8f286b2592f0163706cfe,d2d0bae0c9a2a17b6990a2966f5cdce0813d6256)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24de58f465165298aaa8f286b2592f0163706cfe,63b8097cea1923fe82cd598068d0796da8c015ec)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24de58f465165298aaa8f286b2592f0163706cfe,19a230dec6bb8928e3f96387f9085cf2c79bcef9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24de58f465165298aaa8f286b2592f0163706cfe,cb549925875fa06dd155e49db4ac2c5044c30f9c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24de58f465165298aaa8f286b2592f0163706cfe,777d02efe3d630cca4c1b63962cec17c57711325)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24de58f465165298aaa8f286b2592f0163706cfe,f62a218a946b19bb59abdd5361da85fa4606b96b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:04:47.363793+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a patched release that incorporates the xt_CT module fix.", "Verify that no helper modules or nfnetlink_cttimeout operations are removing netfilter templates while traffic is active.", "Monitor system logs for netfilter packet drop events that may indicate improper template removal."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems include all Linux kernel distributions that use the netfilter xt_CT module. Vendor information lists Linux:Linux, and no specific version numbers are provided in the official data.", "description_and_impact": "In the Linux kernel\u2019s netfilter xt_CT module, templates used by zone and event cache filters can be removed while packets are queued. This causes pending enqueued packets to be dropped, which can result in significant packet loss and may lead to denial of service. The weakness is a resource management flaw, classified as CWE\u2013911.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.8, indicating moderate to high severity. The EPSS score is less than 1\u202f%, suggesting a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Exploitation would require the ability to manipulate the kernel\u2019s netfilter templates\u2014such as by unloading helper modules or triggering nfnetlink_cttimeout to remove them\u2014while traffic is being processed, which implies privileged access to the operating system."}}}}, "created": "2026-03-25T21:31:25.024015+00:00", "updated": "2026-04-28T09:15:09.680417+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-911"]}