Skip to main content

Linux CVE-2026-23399

| EUVDEUVD-2026-16909 MEDIUM
Memory Leak (CWE-401)
2026-03-28 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 28, 2026 - 07:30 euvd
EUVD-2026-16909
Analysis Generated
Mar 28, 2026 - 07:30 vuln.today
CVE Published
Mar 28, 2026 - 07:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nf_tables: nft_dynset: fix possible stateful expression memleak in error path

If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released.

unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_noprof+0x453/0xd80 nft_counter_clone+0x9c/0x190 [nf_tables] nft_expr_clone+0x8f/0x1b0 [nf_tables] nft_dynset_new+0x2cb/0x5f0 [nf_tables] nft_rhash_update+0x236/0x11c0 [nf_tables] nft_dynset_eval+0x11f/0x670 [nf_tables] nft_do_chain+0x253/0x1700 [nf_tables] nft_do_chain_ipv4+0x18d/0x270 [nf_tables] nf_hook_slow+0xaa/0x1e0 ip_local_deliver+0x209/0x330

AnalysisAI

Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.

Technical ContextAI

The vulnerability exists in the nf_tables netfilter subsystem, specifically in the nft_dynset (dynamic set) module that handles dynamic rule evaluation and state tracking. The affected code path involves nft_dynset_new() which attempts to clone multiple stateful expressions (such as nft_counter) via nft_expr_clone() during element insertion into a dynamic set. When cloning the second stateful expression fails due to memory allocation failure under GFP_ATOMIC constraints (atomic context where blocking is forbidden), the code exits the error path without calling nft_expr_destroy() or similar cleanup on the already-cloned first expression. This results in a reference leak of percpu-allocated memory structures. The root cause is improper resource cleanup sequencing in error handling paths, classified as a resource management weakness (CWE-401: Missing Release of Memory after Effective Lifetime or similar). The percpu allocator is used to allocate per-CPU counter state, and each leaked allocation consumes 16 bytes per CPU, multiplied across systems with many CPUs.

RemediationAI

Apply the vendor-released patch via kernel update to the latest stable branch version: Linux 6.1.24 or later (6.1 branch), Linux 6.6.10 or later (6.6 branch), Linux 6.12.x with fix commit c88a9fd26cee365bec932196f76175772a941cca or later, or Linux 5.15.x with fix commit 0548a13b5a145b16e4da0628b5936baf35f51b43 or later. The fix ensures proper error-path cleanup by releasing all cloned expressions if a subsequent clone operation fails. System administrators should upgrade their kernel via distribution package management (apt update && apt upgrade, yum update, etc.) and reboot. If immediate patching is not feasible, mitigate by disabling nf_tables dynamic set rules on affected systems, though this may impact firewall or traffic control functionality. Verify fix application by confirming kernel version post-patch via uname -r and reviewing stable branch commits at https://git.kernel.org/stable/.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.8-1 -
sid fixed 6.19.10-1 -
(unstable) fixed 6.19.10-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy