Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: release flowtable after rcu grace period on error

Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.

This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().

There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption (Use‑after‑free)
Action: Apply Patch
AI Analysis

Impact

The flaw resides in the Linux kernel’s nf_tables component, where a flowtable can be freed before a required RCU grace period when an error occurs during hook deregistration. This results in a use‑after‑free condition that exposes freed kernel memory to packet processing and nfnetlink control‑plane paths. An attacker capable of repeatedly triggering this rare error path—such as by forcing the maximum hook count or inducing a hardware offload failure—could corrupt kernel memory, crash the system, or potentially execute arbitrary code if they can control the freed memory contents.

Affected Systems

All Linux kernel implementations that include the nf_tables module are affected. The vulnerability is not tied to a specific kernel version, so any distributions running an unpatched kernel that contains this code path remain vulnerable until a corrective update is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while an EPSS score below 1 % suggests exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires precise control of kernel‑level operations to trigger the hook‑registration error; once triggered, the use‑after‑free can lead to memory corruption, denial of service, or privilege escalation, making the overall risk high if the attack conditions can be met.

Generated by OpenCVE AI on April 2, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for CVE‑2026‑23392.
  • If an immediate update is not possible, reduce the number of nf_tables hooks and disable hardware offload features that may cause hook‑registration failures, then monitor for related kernel errors.
  • Consider using KASAN‑enabled builds or other memory‑sanitization tools during testing to confirm the use‑after‑free has been eliminated.

Generated by OpenCVE AI on April 2, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:4.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu(). There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.
Title netfilter: nf_tables: release flowtable after rcu grace period on error
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:29.778Z

Reserved: 2026-01-13T15:37:46.011Z

Link: CVE-2026-23392

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:39.873

Modified: 2026-04-24T18:39:15.767

Link: CVE-2026-23392

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23392 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:58Z

Weaknesses