Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local privileged ruleset access (PR:L, AV:L) and a narrow RCU/commit race window (AC:H); RCU UAF yields kernel memory disclosure (C:H) and crash (A:H), no integrity impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase
Publish new hooks in the list into the basechain/flowtable using splice_list_rcu() to ensure netlink dump list traversal via rcu is safe while concurrent ruleset update is going on.
AnalysisAI
Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access and the ability to perform nf_tables ruleset updates, which needs CAP_NET_ADMIN in the relevant network namespace - obtainable by unprivileged users only where unprivileged user namespaces are enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a moderate, locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user who can manipulate an nf_tables ruleset (for example via CAP_NET_ADMIN inside an unprivileged user namespace) repeatedly issues ruleset commits that add hooks while simultaneously running netlink dump requests on the same basechain or flowtable. By winning the race window, the dump traverses an inconsistent hook list and reads freed kernel memory, leaking kernel data or triggering a use-after-free crash. … |
| Remediation | Apply the upstream stable fix that introduces splice_list_rcu() for hook publication in the nf_tables commit phase; per EUVD the corrected code ships in the 7.0.10 and 7.1 stable series, so update to a kernel build that includes commits 1346be9379639c30877083b12747d4eacb83c24f and a6134e62dba2ea4f760b29d5226907f447c92400 (Upstream fix available via stable-tree commits; map to your distribution's patched package). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Linux systems using netfilter nf_tables for firewall or packet filtering functions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38856
GHSA-g3ch-wcx8-mmq7