HIGH
netfilter Template UAF
CVE-2026-23391
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in netfilter's xt_CT target allows local attackers with CAP_NET_ADMIN privileges to potentially execute arbitrary code or crash the kernel. The bug occurs when connection tracking templates containing helpers or timeout policies are destroyed while packets referencing them remain queued in nfqueue, creating dangling pointer access during subsequent packet processing.
Vulnerability analysis
The vulnerability stems from improper lifecycle management in the xt_CT netfilter target. When templates containing helper modules or timeout policies are destroyed via rule removal or nfnetlink_cttimeout deletion, enqueued packets in nfqueue retain references to the freed objects. The fix adds nf_queue_nf_hook_drop() to flush pending packets before template destruction, preventing use-after-free access. On default kernels, CAP_NET_ADMIN can be obtained within a user namespace, allowing unprivileged local users to reach the vulnerable code.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 55445134d42b |
| 5.15 | 5.15.203 | cc57506dd665 |
| 6.1 | 6.1.167 | d2d0bae0c9a2 |
| 6.12 | 6.12.78 | 19a230dec6bb |
| 6.18 | 6.18.20 | cb549925875f |
| 6.19 | 6.19.10 | 777d02efe3d6 |
| 6.6 | 6.6.130 | 63b8097cea19 |
| mainline | 7.0 | f62a218a946b |