{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23392", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-25T10:33:16.647Z", "dateUpdated": "2026-04-13T06:06:29.778Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:06:29.778Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "d2632de96ccb066e0131ad1494241b9c281c60b8", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "adee3436ccd29f1e514c028899e400cbc6d84065", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "7e3955b282eae20d61c75e499c75eade51c20060", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "c8092edb9a11f20f95ccceeb9422b7dd0df337bd", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "e78a2dcc7cfb87b64a631441ca7681492b347ef6", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "4.16", "status": "affected"}, {"version": "0", "lessThan": "4.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"}, {"url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"}, {"url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"}, {"url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"}, {"url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"}, {"url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"}], "title": "netfilter: nf_tables: release flowtable after rcu grace period on error", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A5DC72A-93EB-4A9B-B708-F1AF1B80B184", "versionEndExcluding": "6.1.167", "versionStartIncluding": "4.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.16:-:*:*:*:*:*:*", "matchCriteriaId": "F60469AF-0A23-41D3-BC6A-C0D9A45A2CBC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_tables: liberar la tabla de flujos despu\u00e9s del per\u00edodo de gracia de RCU en caso de error\n\nLlamar a synchronize_rcu() despu\u00e9s de desregistrar los hooks de la ruta de error, ya que un hook que ya se refiere a esta tabla de flujos puede estar ya registrado, exponiendo esta tabla de flujos a la ruta de paquetes y al plano de control de nfnetlink_hook.\n\nEsta ruta de error es rara, solo deber\u00eda ocurrir al alcanzar el n\u00famero m\u00e1ximo de hooks o al fallar la configuraci\u00f3n para la descarga de hardware; simplemente llamar a synchronize_rcu().\n\nExiste una comprobaci\u00f3n para hooks de dispositivo ya utilizados por una tabla de flujos diferente que podr\u00eda resultar en EEXIST en esta etapa tard\u00eda. El analizador de hooks puede ser actualizado para realizar esta comprobaci\u00f3n antes, para que esta ruta de error realmente se ejercite raramente.\n\nDescubierto por KASAN, reportado como uso despu\u00e9s de liberaci\u00f3n desde la ruta de nfnetlink_hook al volcar los hooks."}], "id": "CVE-2026-23392", "lastModified": "2026-04-24T18:39:15.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:39.873", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: netfilter: nf_tables: release flowtable after rcu grace period on error", "id": "2451218", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451218"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. An error in releasing a flowtable after an RCU (Read-Copy-Update) grace period could lead to a use-after-free vulnerability. This issue could expose the flowtable to the packet path and nfnetlink_hook control plane, potentially allowing a local attacker to cause a system crash (Denial of Service) or achieve arbitrary code execution."], "name": "CVE-2026-23392", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23392\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23392\nhttps://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-23392-fd9d@gregkh/T"], "statement": "This flaw affects nftables flowtable configurations. When flowtable setup fails (max hooks reached, hardware offload failure, or duplicate device), the error path frees the flowtable without synchronize_rcu(), allowing concurrent access from packet path or nfnetlink_hook. KASAN detected this as UAF during hook dumping.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,d2632de96ccb066e0131ad1494241b9c281c60b8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,adee3436ccd29f1e514c028899e400cbc6d84065)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,7e3955b282eae20d61c75e499c75eade51c20060)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,c8092edb9a11f20f95ccceeb9422b7dd0df337bd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,e78a2dcc7cfb87b64a631441ca7681492b347ef6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,d73f4b53aaaea4c95f245e491aa5eeb8a21874ce)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:04:22.503894+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the fix for CVE\u20112026\u201123392.", "If an immediate update is not possible, reduce the number of nf_tables hooks and disable hardware offload features that may cause hook\u2011registration failures, then monitor for related kernel errors.", "Consider using KASAN\u2011enabled builds or other memory\u2011sanitization tools during testing to confirm the use\u2011after\u2011free has been eliminated."], "summary": {"action": "Apply Patch", "impact": "Memory corruption (Use\u2011after\u2011free)"}, "threat_synthesis": {"affected_systems": "All Linux kernel implementations that include the nf_tables module are affected. The vulnerability is not tied to a specific kernel version, so any distributions running an unpatched kernel that contains this code path remain vulnerable until a corrective update is applied.", "description_and_impact": "The flaw resides in the Linux kernel\u2019s nf_tables component, where a flowtable can be freed before a required RCU grace period when an error occurs during hook deregistration. This results in a use\u2011after\u2011free condition (CWE\u2011416) that exposes freed kernel memory to packet processing and nfnetlink control\u2011plane paths. An attacker capable of repeatedly triggering this rare error path\u2014such as by forcing the maximum hook count or inducing a hardware offload failure\u2014could corrupt kernel memory, crash the system, or potentially execute arbitrary code if they can control the freed memory contents.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, while an EPSS score below 1\u202f% suggests exploitation is unlikely but not impossible. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires precise control of kernel\u2011level operations to trigger the hook\u2011registration error; once triggered, the use\u2011after\u2011free (CWE\u2011416) can lead to memory corruption, denial of service, or privilege escalation, making the overall risk high if the attack conditions can be met."}}}}, "created": "2026-03-25T21:31:24.063318+00:00", "updated": "2026-04-28T09:15:09.679514+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}