Skip to main content

Linux EUVDEUVD-2026-15323

| CVE-2026-23351 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-42q3-4jmh-pwqx
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15323
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: split gc into unlink and reclaim phase

Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service).

We must split GC in an unlink and a reclaim phase.

We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure.

call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version.

This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").

AnalysisAI

Use-after-free in Linux kernel's netfilter nft_set_pipapo enables local privilege escalation to kernel-level access (confidentiality/integrity/availability compromise). Affects Linux kernel 5.6+ through multiple stable branches (6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x). Vendor patches available across all affected kernel series. EPSS score of 0.03% (9th percentile) indicates low automated exploitation likelihood, consistent with local-access requirement and lack of public exploit code at time of analysis.

Technical ContextAI

The vulnerability exists in Linux kernel's netfilter subsystem, specifically in the nft_set_pipapo implementation used for packet filtering set operations. The pipapo set type implements a trie-based algorithm for efficient IP address matching in netfilter rulesets. The flaw stems from improper garbage collection (GC) handling where expired elements are freed while still accessible to concurrent readers. During commit-time GC with numerous expired elements, the single-phase collection approach runs non-preemptibly for extended periods, creating a race window. Packet path lookups and netlink dump operations can reference elements queued for RCU-deferred freeing before the commit phase completes pointer swapping between clone and live data structures. This violates RCU read-side guarantees and creates use-after-free conditions. The fix implements a two-phase GC approach (unlink then reclaim) similar to the nft_set_rbtree hardening in commit 35f83a75529a, ensuring elements are unreachable before memory reclamation begins. Multiple stable kernel branches received backported fixes targeting the 3c4287f62044 introduction point in version 5.6.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167+ for 6.1.x series, 6.6.130+ for 6.6.x series, 6.12.77+ for 6.12.x series, 6.18.17+ for 6.18.x series, 6.19.7+ for 6.19.x series, or 7.0-rc3+ for mainline development kernels. Patches available from kernel.org stable tree at references https://git.kernel.org/stable/c/c12d570d71920903a1a0468b7d13b085203d0c93 (and additional commits listed). Debian users should apply distribution-provided kernel updates addressing CVE-2026-23351 once released through apt security channels. For systems unable to immediately patch, temporary risk reduction can be achieved by avoiding nftables configurations that utilize pipapo set types, though this significantly degrades firewall capability for IP address matching-migrate rules to alternative set implementations like hash or rbtree types if performance permits. On multi-tenant systems, restrict access to nftables configuration interfaces (CAP_NET_ADMIN capability) until patching completes, noting this is standard hardening rather than specific mitigation. No userspace workarounds eliminate the kernel-level race condition; kernel upgrade is the only complete remediation.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy