HIGH
netfilter Pipapo GC UAF
CVE-2026-23351
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
02KernelScan AI Analysis
Risk summary
This use-after-free vulnerability in netfilter's pipapo set garbage collection could allow an attacker to cause memory corruption by exploiting race conditions during element expiration. While primarily causing denial of service through kernel crashes or soft lockups, the memory corruption could potentially be leveraged for privilege escalation in certain scenarios. The vulnerability affects systems using nftables with range-based filtering rules and is triggered through network traffic processing.
Vulnerability analysis
Root Cause: The pipapo set type's garbage collection (GC) mechanism had a race condition where expired elements could be freed via call_rcu() while still being accessible to concurrent readers. The original code performed GC in a single phase during commit, immediately queuing expired elements for RCU-based freeing. However, dump operations or element lookups starting after call_rcu() fired could still observe the freed element if the commit phase hadn't progressed far enough to swap the clone and live pointers before new readers accessed the old version.
Attack Surface: This vulnerability affects netfilter's nftables pipapo set type, which is used for range-based packet filtering rules. The attack surface is primarily network-facing as it involves packet processing paths. An attacker could potentially trigger the use-after-free by causing a large number of set elements to expire simultaneously, creating a race condition between the garbage collector and concurrent packet processing or rule dump operations. The vulnerability requires the system to be processing network traffic through nftables rules that use pipapo sets.
Fix Mechanism: The fix splits garbage collection into two distinct phases: (1) An 'unlink' phase (pipapo_gc_scan) that identifies expired elements and marks them for removal but doesn't free them yet, storing them in a gc_head list, and (2) A 'reclaim' phase (pipapo_gc_queue) that only executes after the live/clone pointer swap is complete, safely queuing the previously identified expired elements for actual memory reclamation. This ensures that no element is freed while it might still be visible to concurrent readers.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 65ca51b9fb85 |
| 5.15 | 5.15.203 | c0f1f85097ac |
| 6.1 | 6.1.167 | 16f3595c0441 |
| 6.12 | 6.12.77 | c12d570d7192 |
| 6.18 | 6.18.17 | 500a50a301ce |
| 6.19 | 6.19.7 | aff13667708d |
| 6.6 | 6.6.130 | 7864c667aed0 |
| mainline | 7.0 | 9df95785d3d8 |