Skip to main content

Linux CVE-2026-23458

| EUVDEUVD-2026-18716 HIGH
Use After Free (CWE-416)
2026-04-03 Linux
High
Disputed · 7.8 Vendor: Linux
Share

Severity by source

Sources disagree (Low–High)
Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
4.4 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56,5cb81eeda909dbb2def209dd10636b51549a3f8a
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18716
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()

ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext.

The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose.

Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily.

BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133

CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0

Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180

Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0

AnalysisAI

Use-after-free in Linux kernel netfilter ctnetlink module allows local attackers to read freed kernel memory by triggering multiple-round netlink dump operations on conntrack expectations, exploiting improper reference counting in ctnetlink_dump_exp_ct() that drops conntrack references before the dump callback completes. The vulnerability requires local network namespace access and CAP_NET_ADMIN capability but enables information disclosure of kernel heap contents via KASAN-detected slab-use-after-free on ct->ext dereference.

Technical ContextAI

The netfilter conntrack netlink (ctnetlink) interface in the Linux kernel provides netlink sockets for userspace management of connection tracking state. The vulnerable function ctnetlink_dump_exp_ct() initiates netlink dump operations for conntrack expectations but fails to properly manage reference counting across multi-round dump iterations. Specifically, the function stores a conntrack pointer in the netlink_dump_control callback context (cb->data) but immediately releases the reference via nf_ct_put() before returning from netlink_dump_start(). When userspace requests additional data via recvmsg(), the kernel invokes ctnetlink_exp_ct_dump_table() which dereferences the freed conntrack object via nfct_help(ct), leading to out-of-bounds memory access on the ct->ext member. The root cause is the absence of .start and .done callback handlers in netlink_dump_control to manage the conntrack reference lifecycle, a pattern correctly implemented in other ctnetlink dump functions like ctnetlink_get_conntrack(). The vulnerability is classified as CWE-use-after-free (implicit from KASAN output and description).

RemediationAI

Patch immediately by updating the Linux kernel to a version containing the upstream fix. Affected systems should apply the commits from the stable kernel branch corresponding to their kernel series: verify your kernel version and apply the relevant patch from git.kernel.org/stable using the provided commit hashes (bdf2724eefd4455a66863abb025bab8d3aa98c57 for mainline or corresponding backports for stable branches). For systems unable to patch immediately, mitigate by restricting CAP_NET_ADMIN and netlink socket access via LSM policies (AppArmor, SELinux) or container runtime constraints (pod security policies, seccomp). Monitor system logs for KASAN use-after-free warnings in ctnetlink code paths. Kernel distributions (Ubuntu, Red Hat, Debian, SUSE) should have released updated kernel packages; contact your vendor for specific patch versions and timeline.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy