HIGH
netfilter NFTables Race
CVE-2026-23272
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
02KernelScan AI Analysis
Risk summary
Local attackers with CAP_NET_ADMIN (obtainable via unprivileged user namespaces on default kernels) can trigger a use-after-free in the netfilter nf_tables set element insertion path. A race between element insertion on a full set and concurrent RCU readers (e.g., packet processing) allows access to freed memory, leading to information disclosure, memory corruption, and kernel crashes. Multi-tenant and container environments where untrusted users can acquire CAP_NET_ADMIN are at elevated risk.
Vulnerability analysis
The vulnerability is a use-after-free (UAF) caused by missing RCU synchronization in nf_tables set element insertion. When adding an element to an already-full set, the old code published the element to RCU-visible data structures, then immediately removed and freed it without waiting for an RCU grace period. Concurrent RCU readers traversing the set could therefore access partially constructed or freed memory. The fix ensures element accounting is performed before insertion and that the abort path safely unwinds state without freeing active RCU references. The bug requires CAP_NET_ADMIN to manipulate nftables via netlink, which unprivileged users can obtain through user namespaces on many default kernel configurations. Successful exploitation can result in information leakage from kernel heap (C:Low), memory corruption (I:Low), and denial of service via kernel panic (A:High).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.10 | 4.10 | e3ccb11fc824 |
| 6.12 | 6.12.91 | 6826131c7674 |
| 6.18 | 6.18.17 | ccb8c8f3c112 |
| 6.19 | 6.19.7 | def602e498a4 |
| 6.6 | 6.6.141 | 86bc4b1a0f67 |
| mainline | 7.0 | — |