Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local CAP_NET_ADMIN needed (PR:L, AV:L); reliably winning the destroy-versus-dequeue race raises AC:H; kernel-memory UAF supports C/I/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_tunnel: fix use-after-free on object destroy
nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory.
Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.
AnalysisAI
Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access on the host and the ability to configure netfilter nf_tables, i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a genuine but not urgent local-kernel issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker holding CAP_NET_ADMIN (for instance a user inside a network namespace or container) creates an nftables tunnel object and arranges traffic so packets take a dst_hold() reference and are buffered in a netem qdisc, then destroys the tunnel object to free the metadata_dst while those references remain. When the queued packets are dequeued, dst_release() operates on freed kernel memory; with heap grooming this use-after-free can be shaped toward kernel memory corruption and privilege escalation, or at minimum a kernel crash (DoS). … |
| Remediation | Upgrade to a Linux kernel that includes the fix replacing metadata_dst_free() with dst_release(): vendor-released patched versions are 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and mainline 7.1 - apply the build matching your stable branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running affected Linux kernel versions with nf_tables tunnel module enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39303
GHSA-j962-fx34-5263