Skip to main content

Linux CVE-2026-23231

HIGH
Use After Free (CWE-416)
2026-03-04 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux Use After Free Information Disclosure Memory Corruption
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 04, 2026 - 13:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between.

This creates two use-after-free conditions:

  1. Control-plane: nf_tables_dump_chains() traverses table->chains

under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it.

  1. Packet path: for NFPROTO_INET, nf_register_net_hook() briefly

installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain.

Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.

AnalysisAI

A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Unprivileged user creates nf_tables chain
Delivery
Hook registration fails during addchain()
Exploit
Use-after-free in chain traversal
Execution
Read/write kernel memory
Impact
Privilege escalation to root
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Linux kernel with nf_tables module loaded, unprivileged user with netlink socket access to create firewall rules, race condition between chain addition and concurrent nf_tables_dump_chains() traversal required. Additional conditions and limiting factors are described in the full assessment.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 8 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

CVE-2026-23231 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy