HIGH
netfilter Catchall UAF
CVE-2026-23278
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
02KernelScan AI Analysis
Risk summary
Systems using nftables with maps containing catchall elements are at risk of kernel warnings and potential system crashes when users with CAP_NET_ADMIN privileges modify firewall rules. On default kernels, unprivileged users may obtain CAP_NET_ADMIN via user namespaces, expanding the attack surface to include multi-tenant and container environments. This affects network appliances, firewalls, routers, and multi-user systems that rely on nftables for packet filtering.
Vulnerability analysis
The vulnerability occurs in netfilter's nf_tables transaction processing where catchall elements in maps are not properly cleaned up. The root cause is early break statements in nft_map_catchall_deactivate() and nft_map_catchall_activate() that prevent walking through all pending catchall elements during map destruction. When a map containing multiple catchall elements is destroyed, some elements retain stale references, leading to a use-after-free condition detected during transaction abort. The fix removes these break statements to ensure complete cleanup of all catchall elements. Because the bug is a heap use-after-free, it can potentially enable information disclosure and limited memory corruption in addition to denial of service.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.20 | 4.20 | eb0948fa1329 |
| 5.11 | 5.11 | 77c26b5056d6 |
| 5.16 | 5.16 | 7cb9a23d7ae4 |
| 5.5 | 5.5 | de47a88c6b80 |
| 6.12 | 6.12.78 | — |
| 6.18 | 6.18.19 | — |
| 6.19 | 6.19.9 | — |
| 6.2 | 6.2 | — |
| 6.4 | 6.4 | — |
| mainline | 7.0 | — |