Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unconditionally bump set->nelems before insertion

In case that the set is full, a new element gets published then removed
without waiting for the RCU grace period, while RCU reader can be
walking over it already.

To address this issue, add the element transaction even if set is full,
but toggle the set_full flag to report -ENFILE so the abort path safely
unwinds the set to its previous state.

As for element updates, decrement set->nelems to restore it.

A simpler fix is to call synchronize_rcu() in the error path.
However, with a large batch adding elements to already maxed-out set,
this could cause noticeable slowdown of such batches.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises in the Linux kernel's netfilter nf_tables component when a set reaches its maximum capacity. The implementation incorrectly bumps the element counter before inserting a new entry and then removes the element without allowing an ongoing RCU read to finish. This race condition can lead to stale data being accessed, potentially corrupting kernel memory or causing a crash. The weakness is a classic race condition (CWE‑367). An adversary could exploit it to destabilize the kernel, triggering a denial of service or, in a worst‑case scenario, facilitating privilege escalation through a crash or memory corruption.

Affected Systems

All Linux kernel releases that include the nf_tables subsystem are potentially affected. Because the advisory does not list specific kernel version numbers, any system running an unsupplied kernel prior to the patch commit is at risk. The issue applies to standard Linux distributions as well as custom builds that ship the default kernel.

Risk and Exploitability

With a CVSS base score of 7.8 the vulnerability is considered high. The EPSS score is below 1 %, indicating a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploits. An attacker could theoretically trigger the bug by inserting elements into a full nf_tables set either locally or via network‑bound nftables commands. Prompt mitigation lowers the risk considerably.

Generated by OpenCVE AI on April 2, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the nf_tables fix
  • Verify the kernel commit that resolves the set->nelems increment bug has been merged
  • If a kernel upgrade cannot be performed immediately, configure nftables to keep set sizes well below capacity to avoid the full‑set condition
  • As a temporary measure, disable nf_tables until a kernel update is applied

Generated by OpenCVE AI on April 2, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
Title netfilter: nf_tables: unconditionally bump set->nelems before insertion
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:44:07.723Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23272

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T09:16:12.700

Modified: 2026-04-02T15:16:28.417

Link: CVE-2026-23272

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23272 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:18Z

Weaknesses