Skip to main content

Linux EUVDEUVD-2026-18190

| CVE-2026-23412 HIGH
Use After Free (CWE-416)
2026-04-02 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 15:37 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 15:37 NVD
7.8 (HIGH)
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 12:00 euvd
EUVD-2026-18190
Analysis Generated
Apr 02, 2026 - 12:00 vuln.today
CVE Published
Apr 02, 2026 - 11:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: bpf: defer hook memory release until rcu readers are done

Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..]

Defer release until after concurrent readers have completed.

AnalysisAI

Use-after-free in Linux kernel netfilter BPF hook memory management allows local attackers to read sensitive kernel memory via concurrent nfnetlink_hooks dumping operations. The vulnerability arises from premature memory release in hook structures before RCU readers complete their access, enabling information disclosure through netlink interface. No active exploitation confirmed, but the KASAN report demonstrates reliable reproducer availability.

Technical ContextAI

The vulnerability exists in the Linux kernel netfilter subsystem's BPF hook handling code, specifically in the netlink hook dump functionality (nfnl_hook_dump_one). The root cause is a memory synchronization issue where hook memory is freed before RCU (Read-Copy-Update) readers have completed their critical sections. RCU is a kernel synchronization primitive that allows readers to access shared data without locking, but writers must defer memory reclamation until all concurrent readers finish. The netfilter hooks interface (nfnetlink_hooks) permits dumping active hooks via netlink, and when concurrent processes request hook information while another process modifies or removes hooks, the premature free creates a window where dangling pointers can be dereferenced. This is a classic race condition in kernel memory management, specifically a use-after-free (UaF) triggered through the netlink dumping path.

RemediationAI

Apply kernel patch implementing RCU deferral for hook memory release. The fix is available in Linux stable branches via the committed patches listed in references (kernel.org stable/c/d016c216bc75c45128160593a77b864a04dbe7c0 and related commits). Upgrade to patched kernel versions containing these commits across affected stable series (typically 5.10.x, 5.15.x, 5.19.x, 6.x branches depending on distribution). If immediate patching is not possible, disable nfnetlink_hooks interface via kernel module unload (modprobe -r nf_conntrack_hooks) or restrict netlink socket access via SELinux/AppArmor policies to prevent unprivileged processes from triggering concurrent hook dumps. Kernel rebuild from patched source is required if distribution kernels lag behind stable releases.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.10-1 -
(unstable) fixed 6.19.10-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy