Skip to main content

Linux CVE-2026-23391

| EUVDEUVD-2026-15392 HIGH
2026-03-25 Linux GHSA-qqcv-h6xq-mw7q
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15392
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:33 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_CT: drop pending enqueued packets on template removal

Templates refer to objects that can go away while packets are sitting in nfqueue refer to:

  • helper, this can be an issue on module removal.
  • timeout policy, nfnetlink_cttimeout might remove it.

The use of templates with zone and event cache filter are safe, since this just copies values.

Flush these enqueued packets in case the template rule gets removed.

AnalysisAI

Local privilege escalation in Linux kernel netfilter subsystem (xt_CT module) allows authenticated attackers with low privileges to achieve arbitrary code execution, information disclosure, and denial of service. The vulnerability stems from improper handling of packets enqueued in nfqueue when connection tracking templates are removed, creating use-after-free conditions on helper modules or timeout policies. Patches released across stable branches 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and mainline 7.0-rc5. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation despite 7.8 CVSS severity, with no KEV listing or public POC identified.

Technical ContextAI

This vulnerability affects the Linux kernel's netfilter xt_CT module, specifically the connection tracking template mechanism used with nfqueue packet queueing. Connection tracking templates are reference objects that can include helper modules (for protocol-specific connection tracking like FTP or SIP) and timeout policies managed via nfnetlink_cttimeout. When packets are queued in nfqueue and reference these templates, a race condition occurs if the template rule is removed before packet processing completes. The core issue is a lifetime management problem: template objects (helpers or timeout policies) can be deallocated (via module unload or policy deletion) while queued packets still hold references. This creates classic use-after-free conditions where packet processing code accesses freed memory. The vulnerability is isolated to configurations using connection tracking templates with either helper modules or custom timeout policies - zone templates and event cache filters are explicitly safe as they copy values rather than maintain references. The affected code path is in net/netfilter/xt_CT.c, present since kernel 3.4 when this functionality was introduced in commit 24de58f46516.

RemediationAI

Upgrade to patched kernel versions: 6.1.167 or later for 6.1.x series, 6.6.130+ for 6.6.x, 6.12.78+ for 6.12.x, 6.18.20+ for 6.18.x, 6.19.10+ for 6.19.x, or 7.0-rc5+ for mainline. Upstream patches available at git.kernel.org stable commits 777d02efe3d6 (mainline), d2d0bae0c9a2 (stable), 63b8097cea19, 19a230dec6bb, cb549925875f, and f62a218a946b. If immediate patching is infeasible, implement compensating controls: disable loading of netfilter helper modules (echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper, add nf_conntrack_helper=0 to kernel boot parameters) to prevent helper-based exploitation vector - this breaks applications relying on connection tracking helpers like active FTP, SIP, or TFTP. Restrict CAP_NET_ADMIN capability to trusted users only via capability bounding sets or LSM policies to prevent untrusted users from manipulating connection tracking rules. Audit existing iptables/nftables rules for CT target usage with --helper or --timeout options and remove if not operationally required. Note that disabling helpers may break legitimate application functionality requiring stateful inspection of complex protocols. For production environments, test helper disablement in staging before deployment.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.8-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy