Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: split gc into unlink and reclaim phase

Yiming Qian reports Use-after-free in the pipapo set type:
Under a large number of expired elements, commit-time GC can run for a very
long time in a non-preemptible context, triggering soft lockup warnings and
RCU stall reports (local denial of service).

We must split GC in an unlink and a reclaim phase.

We cannot queue elements for freeing until pointers have been swapped.
Expired elements are still exposed to both the packet path and userspace
dumpers via the live copy of the data structure.

call_rcu() does not protect us: dump operations or element lookups starting
after call_rcu has fired can still observe the free'd element, unless the
commit phase has made enough progress to swap the clone and live pointers
before any new reader has picked up the old version.

This a similar approach as done recently for the rbtree backend in commit
35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service
Action: Patch
AI Analysis

Impact

The Linux kernel’s nft_set_pipapo set type contains a use‑after‑free bug identified as CWE‑825. When many elements expire, the garbage‑collection routine can run for an extended period while the kernel is in a non‑preemptible context, allowing the freed memory to be accessed afterward. This condition triggers soft lockup warnings and RCU stall reports, effectively hanging the system and denying local functionality.

Affected Systems

The flaw resides in the core Linux kernel and affects all Linux distributions that ship an unpatched kernel. No specific kernel version range is listed, so users must check whether their current kernel includes the highlighted patch, typically available in recent releases from the mainline kernel series.

Risk and Exploitability

The CVSS score of 7.8 signals a high severity, yet the EPSS score is below 1 % and the vulnerability is not in the CISA KEV catalog, indicating a low current exploitation likelihood. Exploitation requires local or privileged access to manipulate the pipapo set type and force many entries to expire. The attack vector is inferred to be local, needing kernel‑level privileges; an attacker would trigger the long GC run to cause service denial.

Generated by OpenCVE AI on April 2, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the CVE‑2026‑23351 fix.
  • Verify that your kernel has the patch by running `uname -a` and comparing with the distribution’s security advisory.
  • If a patch is not yet available, monitor kernel logs for soft lockup or RCU stall warnings and consider temporarily disabling or limiting use of the pipapo set type until a fix is released.

Generated by OpenCVE AI on April 2, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
Title netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:05.366Z

Reserved: 2026-01-13T15:37:45.999Z

Link: CVE-2026-23351

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:33.450

Modified: 2026-04-18T09:16:20.350

Link: CVE-2026-23351

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23351 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:04Z

Weaknesses