Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only UAF (AV:L) needing CAP_NET_ADMIN (PR:L) and a timing race against the hook dump (AC:H); kernel memory corruption yields high C/I/A.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nat: use kfree_rcu to release ops
Florian Westphal says:
"Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks.
However, in v5.14 I added the ability to dump the active netfilter hooks from userspace.
This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath.
The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though.
But once that changes the nat ops structures have to be deferred too."
Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.
AnalysisAI
Local privilege escalation / memory corruption in the Linux kernel's netfilter NAT subsystem (introduced in v5.14) arises because nf_nat_register_fn() freed nf_hook_ops structures immediately rather than deferring the release via RCU. Because the v5.14-era nfnetlink_hook feature lets userspace dump active netfilter hooks by peeking into the ops blob, a concurrent dump racing the NAT (un)register error path can access ops memory after it is freed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with the ability to register netfilter NAT hooks (CAP_NET_ADMIN, which an unprivileged user may obtain within an unprivileged user/network namespace if enabled), and a kernel at or after v5.14 where the nfnetlink hook-dump interface exists. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward lower real-world urgency than the 7.8 score alone implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user with CAP_NET_ADMIN (potentially obtained inside an unprivileged user+network namespace) repeatedly registers and unregisters NAT hooks to force the error path while a second thread continuously dumps active netfilter hooks via nfnetlink. By winning the race, the attacker causes the kernel to read NAT nf_hook_ops memory after it has been freed, potentially leaking kernel data or corrupting memory for further escalation. … |
| Remediation | Vendor-released patch: upgrade to Linux kernel 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent), which change nf_nat_register_fn() to release ops via kfree_rcu() and correctly handle partial hook exposition on the error path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all Linux systems running kernel versions 5.14 and later in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-763 – Release of Invalid Pointer or Reference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38868
GHSA-6794-4vqv-w8qg