CVE-2026-23399 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

nf_tables: nft_dynset: fix possible stateful expression memleak in error path

If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.

unreferenced object (percpu) 0x607b97e9cab8 (size 16):
comm "softirq", pid 0, jiffies 4294931867
hex dump (first 16 bytes on cpu 3):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc 0):
pcpu_alloc_noprof+0x453/0xd80
nft_counter_clone+0x9c/0x190 [nf_tables]
nft_expr_clone+0x8f/0x1b0 [nf_tables]
nft_dynset_new+0x2cb/0x5f0 [nf_tables]
nft_rhash_update+0x236/0x11c0 [nf_tables]
nft_dynset_eval+0x11f/0x670 [nf_tables]
nft_do_chain+0x253/0x1700 [nf_tables]
nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
nf_hook_slow+0xaa/0x1e0
ip_local_deliver+0x209/0x330

Published: 2026-03-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a memory leak in the Linux kernel’s nftables nft_dynset module. When cloning a second stateful expression fails, the first remains allocated and is never freed, creating an unreferenced per‑CPU object. If an attacker can repeatedly trigger this error path, the unreleased objects accumulate, exhausting kernel RAM and potentially destabilising the system, leading to denial of service.

Affected Systems

All Linux kernel releases that include the vulnerable nftables nft_dynset code before the patch are affected. The specific product is the Linux kernel’s nftables subsystem; no particular vendor version was specified in the advisory.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through manipulated nftables rules or crafted network traffic that forces the clone operation to fail, a scenario that is inferred from the error path described; this inference requires privileged or local control of nftables. As a result, exploitation would most readily occur from a local attacker with sufficient privileges, while remote exploitation is unlikely without additional privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`563125a73ac30d7036ae69ca35c40500562c1de4`	affected	< d1354873cbe3b344899c4311ac05897fd83e3f21
`563125a73ac30d7036ae69ca35c40500562c1de4`	affected	< 31641c682db73353e4647e40735c7f2a75ff58ef
`563125a73ac30d7036ae69ca35c40500562c1de4`	affected	< c88a9fd26cee365bec932196f76175772a941cca
`563125a73ac30d7036ae69ca35c40500562c1de4`	affected	< 0548a13b5a145b16e4da0628b5936baf35f51b43

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates commit 0548a13b5a145b16e4da0628b5936baf35f51b43, which addresses the nft_dynset memory leak.
Confirm the running kernel includes the fix by checking the build ID or commit hash.
If an upgrade is not immediately possible, avoid using nftables stateful expressions that rely on nft_dynset until the patch is applied.
Continuously review vendor security bulletins for updates or related advisories.

Generated by OpenCVE AI on March 29, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43
https://git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58ef
https://git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941cca
https://git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21
https://lore.kernel.org/linux-cve-announce/2026032820-CVE-2026-23399-60d0@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23399
https://www.cve.org/CVERecord?id=CVE-2026-23399

History

Sun, 29 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026032820-CVE-2026-23399-60d0@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23399 https://www.cve.org/CVERecord?id=CVE-2026-23399
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Sat, 28 Mar 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released. unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_noprof+0x453/0xd80 nft_counter_clone+0x9c/0x190 [nf_tables] nft_expr_clone+0x8f/0x1b0 [nf_tables] nft_dynset_new+0x2cb/0x5f0 [nf_tables] nft_rhash_update+0x236/0x11c0 [nf_tables] nft_dynset_eval+0x11f/0x670 [nf_tables] nft_do_chain+0x253/0x1700 [nf_tables] nft_do_chain_ipv4+0x18d/0x270 [nf_tables] nf_hook_slow+0xaa/0x1e0 ip_local_deliver+0x209/0x330
Title		nf_tables: nft_dynset: fix possible stateful expression memleak in error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43 https://git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58ef https://git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941cca https://git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-28T07:16:09.888Z

Updated: 2026-03-28T07:16:09.888Z

Reserved: 2026-01-13T15:37:46.012Z

Link: CVE-2026-23399

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-28T08:15:56.720

Modified: 2026-03-28T08:15:56.720

Link: CVE-2026-23399

Redhat

Severity : Low

Publid Date: 2026-03-28T00:00:00Z

Links: CVE-2026-23399 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-29T20:32:40Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object