HIGH
netfilter BPF Link UAF
CVE-2026-23412
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.
02KernelScan AI Analysis
Risk summary
This vulnerability allows local attackers with BPF privileges to trigger use-after-free conditions by creating netfilter BPF links and concurrently dumping hooks. This could lead to kernel crashes, memory corruption, or potentially privilege escalation through controlled memory reuse.
Vulnerability analysis
Summary: Use-after-free vulnerability in netfilter BPF link deallocation due to improper RCU synchronization
Root Cause: The BPF netfilter link structure was being deallocated immediately via the .dealloc callback without waiting for RCU readers to complete. This created a race condition where concurrent processes dumping hooks via nfnetlink_hooks could access freed memory while iterating through hook structures.
Attack Surface: Local attack surface requiring the ability to create BPF netfilter links and trigger concurrent netlink hook dumps. Attackers need sufficient privileges to use BPF syscalls and netlink sockets.
Fix Mechanism: Changed from immediate deallocation (.dealloc) to RCU-deferred deallocation (.dealloc_deferred) in the bpf_nf_link_lops structure. This ensures that memory is only freed after all RCU read-side critical sections have completed, preventing concurrent readers from accessing freed memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.78 | cb2bf5efdb02 |
| 6.18 | 6.18.20 | c25e0dec366a |
| 6.19 | 6.19.10 | 54244d54a971 |
| 6.6 | 6.6.130 | d016c216bc75 |
| mainline | 7.0 | 24f90fa3994b |