CVE-2026-23274 - Vulnerability Details

- netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.

If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.

Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.

Published: 2026-03-20

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s netfilter IDLETIMER module can inadvertently reuse timer objects between rule revisions. When a revision 0 rule is added for a timer label that was previously established by revision 1 with the XT_IDLETIMER_ALARM flag, the code calls mod_timer on an uninitialized timer structure. This misuse can trigger debugobject warnings and, if panic_on_warn is enabled, lead to a kernel panic, effectively denying service to the system. The flaw is a misuse of an uninitialized resource, as cataloged by CWE‑908.

Affected Systems

The vulnerability is present in any Linux distribution shipping the kernel code that implements the xt_IDLETIMER module without the applied fix. No specific kernel version is listed in the advisory, thus all builds that use the affected kernel source remain potentially vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 7.8 signals high severity, but the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The probable attack vector is local; an attacker with root or the ability to manipulate netfilter rules could trigger the failure. Because the bug causes a kernel panic, successful exploitation translates into a denial of service, but it does not compromise data confidentiality or integrity. The vulnerability is not identified in the CISA KEV catalog, suggesting no publicly known exploits exist at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< 32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< 144f88054ba0180467356f40895bd660b5dceeec
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< 28c7cfaf0c0ab17cbd7754092116fd1af45271f9
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< 54080355999381fed4a26129579a5765bab87491
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< 5e7ece24c5cb75a60402aad4d803c7898ea40aa9
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< f228b9ae2a7e84d1153616d8e71c4236cb1f1309
`68983a354a655c35d3fb204489d383a2a051fda7`	affected	< 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[68983a354a655c35d3fb204489d383a2a051fda7,f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1)`	affected	code_commit	—
`[68983a354a655c35d3fb204489d383a2a051fda7,f228b9ae2a7e84d1153616d8e71c4236cb1f1309)`	affected	code_commit	—
`[68983a354a655c35d3fb204489d383a2a051fda7,329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	semver	—
`[0,5.7)`	unaffected	generic	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel version that includes the IDLETIMER fix that rejects revision 0 rules for ALARM timers.
If an upgraded kernel cannot be installed immediately, disable the IDLETIMER functionality in netfilter to prevent rule insertion that would trigger the bug.
Continuously monitor kernel logs for debugobject warnings or panic messages that may signal an attempted exploitation of the flaw.

Generated by OpenCVE AI on May 26, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DLA	DLA-4606-1	linux security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update
Ubuntu USN	USN-8277-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8278-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8279-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8289-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8291-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8277-2	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-8291-2	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-8296-1	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8279-2	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8291-3	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-8296-2	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8279-3	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8278-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8310-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8374-1	Linux kernel vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec
https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9
https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf
https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44
https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491
https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9
https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309
https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1
https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23274-ba1d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23274
https://www.cve.org/CVERecord?id=CVE-2026-23274

History

Tue, 26 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9 https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491 https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
References		https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23274-ba1d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23274 https://www.cve.org/CVERecord?id=CVE-2026-23274
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 20 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-665

Fri, 20 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-665

Fri, 20 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
Title		netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309 https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-20T08:08:54.918Z

Updated: 2026-05-11T22:03:41.745Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23274

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-20T09:16:13.077

Modified: 2026-05-22T18:17:02.433

Link: CVE-2026-23274

Redhat

Severity : Moderate

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23274 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-26T15:45:08Z

Weaknesses

CWE-908
Use of Uninitialized Resource
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object