HIGH
netfilter IDLETIMER Panic
CVE-2026-23274
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
02KernelScan AI Analysis
Risk summary
Systems using netfilter IDLETIMER rules with mixed revision types can experience kernel panic when panic_on_warn=1 is set. This affects network filtering configurations that reuse timer labels between different IDLETIMER rule revisions. On default kernels, the vulnerability is reachable with CAP_NET_ADMIN obtained via user namespaces, allowing unprivileged local users or container workloads to trigger the panic.
Vulnerability analysis
The root cause is a type confusion bug where IDLETIMER revision 0 rules attempt to call mod_timer() on timer->timer without checking if the existing timer object was created by revision 1 with XT_IDLETIMER_ALARM semantics. In ALARM-type timers, timer->timer is never initialized, leading to mod_timer() operating on an uninitialized timer_list. This triggers debugobjects warnings and can cause kernel panic if panic_on_warn=1. The fix adds a validation check to reject revision 0 rule insertion when an existing timer with the same label uses ALARM type, preventing the dangerous type mixing.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 32e937dc6e97 |
| 5.15 | 5.15.203 | 144f88054ba0 |
| 6.1 | 6.1.167 | 28c7cfaf0c0a |
| 6.12 | 6.12.78 | 5e7ece24c5cb |
| 6.18 | 6.18.19 | f5ef97c13165 |
| 6.19 | 6.19.9 | f228b9ae2a7e |
| 6.6 | 6.6.130 | 540803559993 |
| mainline | 7.0 | 329f0b9b48ee |