Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unconditionally bump set->nelems before insertion

In case that the set is full, a new element gets published then removed
without waiting for the RCU grace period, while RCU reader can be
walking over it already.

To address this issue, add the element transaction even if set is full,
but toggle the set_full flag to report -ENFILE so the abort path safely
unwinds the set to its previous state.

As for element updates, decrement set->nelems to restore it.

A simpler fix is to call synchronize_rcu() in the error path.
However, with a large batch adding elements to already maxed-out set,
this could cause noticeable slowdown of such batches.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel nf_tables subsystem, a race condition occurs when a set reaches its maximum capacity. The implementation increments the element counter before inserting a new entry, and then immediately removes that entry without waiting for the RCU grace period. A concurrent RCU reader may traverse the newly added element before it is fully cleaned up, potentially dereferencing freed memory and corrupting kernel data. This flaw can lead to a kernel crash, system instability, or facilitate further attacks if memory corruption is leveraged.

Affected Systems

All Linux kernel releases that include the nf_tables module prior to the patch commit are potentially vulnerable. The available CPE data shows affected kernels in the 4.10 series and the 7.0 release candidates. Any kernel version that ships with a full nf_tables configuration without the bug fix is at risk.

Risk and Exploitability

The CVSS base score of 7.8 classifies this issue as high severity, while the EPSS score of less than 1 % indicates a very low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog, implying that no publicly known exploits have been reported. The likely attack vector is a local attacker or a compromised application that can insert entries into a nf_tables set, possibly through privileged system commands or scripts. While the CVE description does not explicitly state the attacker context, a local or elevated process would be required to trigger the race condition.

Generated by OpenCVE AI on May 26, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the nf_tables set‑counter bug fix
  • Reduce the maximum nf_tables set size or keep usage below capacity to avoid triggering the full‑set condition
  • If nf_tables functionality is not required, temporarily disable the nf_tables kernel module until the kernel patch is applied

Generated by OpenCVE AI on May 26, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:4.10:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.10:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.10:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.10:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*

Sat, 23 May 2026 11:45:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
Title netfilter: nf_tables: unconditionally bump set->nelems before insertion
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:04:26.049Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23272

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-03-20T09:16:12.700

Modified: 2026-05-23T12:17:01.687

Link: CVE-2026-23272

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23272 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:15:09Z

Weaknesses