Skip to main content

Linux Kernel EUVDEUVD-2026-32367

| CVE-2026-45901 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jhvq-4r2h-7c2q
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges required to invoke nft/ipset commands; sole impact is availability via kernel deadlock; no confidentiality or integrity loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 16:38 vuln.today
CVSS changed
Jun 24, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: revert commit_mutex usage in reset path

It causes circular lock dependency between commit_mutex, nfnl_subsys_ipset and nlk_cb_mutex when nft reset, ipset list, and iptables-nft with '-m set' rule run at the same time.

Previous patches made it safe to run individual reset handlers concurrently so commit_mutex is no longer required to prevent this.

AnalysisAI

Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.

Technical ContextAI

The Linux kernel netfilter subsystem uses nf_tables as its primary packet classification and filtering framework. Correct kernel locking requires that all lock acquisitions follow a consistent global order to prevent deadlock. In the vulnerable code path, the commit_mutex was introduced into the nft reset handler to prevent concurrent modifications, but this created a circular ordering against nfnl_subsys_ipset (used by ipset list operations) and nlk_cb_mutex (used by netlink callback processing). When three threads simultaneously execute nft reset, ipset list, and an iptables-nft rule referencing the 'set' match module, the cycle forms: thread A holds commit_mutex and waits for nfnl_subsys_ipset; thread B holds nfnl_subsys_ipset and waits for nlk_cb_mutex; thread C holds nlk_cb_mutex and waits for commit_mutex. The fix reverts the commit_mutex usage in the reset path entirely, relying on prior patches that already made individual reset handlers safe for concurrent execution. Affected CPE is cpe:2.3:o:linux:linux_kernel across multiple stable branches. No CWE was formally assigned, but this maps to CWE-667 (Improper Locking) and CWE-833 (Deadlock).

RemediationAI

The primary fix is to update to a patched Linux kernel release. Per EUVD affected version data, patched releases include Linux 6.19.4 and Linux 7.0. The upstream fix commits are available at https://git.kernel.org/stable/c/7f261bb906bf527c4a6e2a646e2d5f3679f2a8bc and https://git.kernel.org/stable/c/ee3978b6a0dcd4215cb7cedcba705a12174786a7 for the respective stable branches. Distributions maintaining their own stable kernels (RHEL, Ubuntu LTS, Debian) should be checked for backported fixes. As a compensating control where patching is not immediately possible, restricting local user access to nftables administration commands (e.g., via capability restrictions on CAP_NET_ADMIN) reduces the attack surface, but note this may affect legitimate network policy management workflows. Alternatively, workloads that do not require concurrent nft reset and ipset operations can schedule these operations sequentially during maintenance windows to avoid the race condition, though this is not a reliable mitigation in shared environments.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy