Skip to main content

Linux CVE-2026-23392

| EUVDEUVD-2026-15393 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-f5vj-m443-mgw6
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:52 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15393
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:33 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: release flowtable after rcu grace period on error

Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane.

This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().

There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.

AnalysisAI

A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables.

Technical ContextAI

The vulnerability resides in the Linux kernel's netfilter subsystem (CPE: cpe:2.3:a:linux:linux), specifically within the nf_tables flowtable hook registration error handling path. Flowtables are a kernel-based connection tracking optimization mechanism used for high-performance packet forwarding. The root cause is a synchronization issue where the kernel fails to call synchronize_rcu() after unregistering hooks during error conditions, violating RCU (Read-Copy-Update) semantics that protect against use-after-free in concurrent contexts. The error path is triggered when either the maximum number of hooks is exceeded or hardware offload configuration fails (EEXIST errors from duplicate device hooks). The vulnerability was uncovered through KASAN (Kernel Address Sanitizer) instrumentation detecting use-after-free access patterns when the nfnetlink_hook control plane dumped active hooks, indicating that packet processing code could concurrently access the flowtable structure after it was freed.

RemediationAI

Apply the upstream kernel patch immediately by upgrading to a patched kernel version corresponding to your distribution and branch. The fix involves adding synchronize_rcu() calls in the nf_tables flowtable error handling path, as implemented in the referenced kernel commits. Verify your kernel version contains one of the stable commit hashes (d2632de96ccb066e0131ad1494241b9c281c60b8 or equivalents across branches) by checking kernel release notes or using git log. Until patching is feasible, administratively disable hardware offload for netfilter flowtables via sysctl or module parameters to eliminate the primary error trigger, and monitor system logs for KASAN warnings indicating use-after-free. For production environments, prioritize patching as the sole reliable mitigation, since workarounds are limited and the vulnerability is only triggered under specific operational conditions (resource exhaustion or hardware offload configuration).

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.8-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy