Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.

This creates two use-after-free conditions:

1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.

2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.

Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
Published: 2026-03-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash or denial-of-service due to use‑after‑free in nf_tables
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw (CWE‑416) exists in the nf_tables component of the Linux kernel where a chain added to a table can be freed while still being read by RCU code paths, both on the control plane and during packet processing. Based on the description, it is inferred that a local attacker could trigger a kernel crash by causing a chain registration failure while the chain is still being accessed. The vulnerability may lead to denial‑of‑service rather than privilege escalation.

Affected Systems

The flaw affects the Linux kernel broadly; no specific version numbers are listed in the advisory, but all kernel releases that include the legacy nf_tables implementation are potentially vulnerable. Linux kernel users who employ nf_tables for firewall or packet filtering should be aware that any chain configuration could trigger the bug if a registration fails during hook installation.

Risk and Exploitability

The vulnerability’s CVSS score of 7.8 places it in the high‑risk category, and the reported exploitation probability is very low, estimated under 1%. It is not listed in the CISA KEV catalog. The lack of an RCU grace period means any concurrent read activity could trigger a use‑after‑free while the kernel processes control‑plane or packet‑path requests. Attackers with local privileges could exploit the race by creating a chain whose registration fails, causing the kernel to crash. The danger lies primarily in system instability and denial‑of‑service.

Generated by OpenCVE AI on April 16, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the RCU synchronization fix for nf_tables_addchain (see the commit links in the advisory).
  • If a kernel upgrade cannot be performed immediately, avoid configuring new nf_tables chains or disable nf_tables functionality until the patch is available.
  • If a system relies on a distribution with managed kernel updates, configure it to apply updates automatically so the RCU synchronization fix is installed as soon as available.

Generated by OpenCVE AI on April 16, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 04 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.
Title netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:48.144Z

Reserved: 2026-01-13T15:37:45.988Z

Link: CVE-2026-23231

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-03-04T13:15:58.137

Modified: 2026-04-02T15:16:24.693

Link: CVE-2026-23231

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-04T00:00:00Z

Links: CVE-2026-23231 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses