Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.

If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.

Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Kernel Panic)
Action: Patch
AI Analysis

Impact

The Linux kernel’s netfilter IDLETIMER extension can reuse timer objects across rule revisions, and when a revision 0 rule is added for a label that was previously registered as an ALARM timer, the kernel calls mod_timer on an uninitialized timer structure. The resulting use‑after‑free type bug triggers debugobject warnings and can crash the kernel if panic_on_warn is enabled, thereby causing a denial of service. The weakness corresponds to CWE‑908, a race or misuse of an uninitialized resource.

Affected Systems

The vulnerability affects the Linux kernel’s netfilter subsystem, specifically the xt_IDLETIMER module, and impacts all distributions that ship the affected kernel code. No specific kernel versions are listed, so users of any kernel build without the patch are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The attack vector is likely local, requiring a privileged user to insert firewall rules that trigger the bug. Since the issue results in a kernel panic, a successful exploitation would lead to system downtime. The vulnerability is not listed in the CISA KEV catalog, so no known public exploits have been documented.

Generated by OpenCVE AI on April 2, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch correcting the IDLETIMER timer reuse behavior.
  • Verify the running kernel version with `uname -r` and compare against the commit that introduced the fix.
  • If immediate patching is not possible, consider disabling the IDLETIMER feature or restricting rule insertion to prevent the use of revision 0 rules with conflicting labels.
  • Monitor kernel logs for debugobject warnings or panic messages that may indicate an attempt to trigger the flaw.

Generated by OpenCVE AI on April 2, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
Title netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:44:09.830Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23274

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T09:16:13.077

Modified: 2026-04-02T15:16:29.783

Link: CVE-2026-23274

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23274 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:16Z

Weaknesses