Skip to main content

Linux Kernel EUVDEUVD-2026-38856

| CVE-2026-52988 HIGH
2026-06-24 Linux GHSA-g3ch-wcx8-mmq7
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.3 MEDIUM

Local privileged ruleset access (PR:L, AV:L) and a narrow RCU/commit race window (AC:H); RCU UAF yields kernel memory disclosure (C:H) and crash (A:H), no integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:43 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
HIGH 7.1
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase

Publish new hooks in the list into the basechain/flowtable using splice_list_rcu() to ensure netlink dump list traversal via rcu is safe while concurrent ruleset update is going on.

AnalysisAI

Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local CAP_NET_ADMIN (e.g. user namespace)
Delivery
Issue concurrent nf_tables commit adding hooks
Exploit
Race netlink dump against RCU list update
Execution
Read freed/inconsistent kernel memory
Impact
Leak kernel data or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires local access and the ability to perform nf_tables ruleset updates, which needs CAP_NET_ADMIN in the relevant network namespace - obtainable by unprivileged users only where unprivileged user namespaces are enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a moderate, locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user who can manipulate an nf_tables ruleset (for example via CAP_NET_ADMIN inside an unprivileged user namespace) repeatedly issues ruleset commits that add hooks while simultaneously running netlink dump requests on the same basechain or flowtable. By winning the race window, the dump traverses an inconsistent hook list and reads freed kernel memory, leaking kernel data or triggering a use-after-free crash. …
Remediation Apply the upstream stable fix that introduces splice_list_rcu() for hook publication in the nf_tables commit phase; per EUVD the corrected code ships in the 7.0.10 and 7.1 stable series, so update to a kernel build that includes commits 1346be9379639c30877083b12747d4eacb83c24f and a6134e62dba2ea4f760b29d5226907f447c92400 (Upstream fix available via stable-tree commits; map to your distribution's patched package). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Linux systems using netfilter nf_tables for firewall or packet filtering functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy