Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: bpf: defer hook memory release until rcu readers are done

Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
<TASK>
nfnl_hook_dump_one.isra.0+0xe71/0x10f0
netlink_dump+0x554/0x12b0
nfnl_hook_get+0x176/0x230
[..]

Defer release until after concurrent readers have completed.
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free memory corruption (CWE‑416) in the Linux kernel netfilter subsystem
Action: Apply Patch
AI Analysis

Impact

A race condition (CWE‑364) and use‑after‑free bug (CWE‑416) exist in the Linux kernel’s netfilter BPF subsystem. When a process with access to the nfnetlink_hooks interface dumps hooks concurrently, the kernel releases hook memory before RCU readers have finished. This race leads to a use‑after‑free in the hook memory, causing kernel memory corruption that could potentially be leveraged for arbitrary code execution.

Affected Systems

The flaw affects the Linux kernel across all releases that implement the netfilter BPF component and the nfnetlink_hooks interface. No specific kernel versions are listed, so any current kernel may be impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score of less than 1% still suggests a low likelihood of exploitation. The vulnerability is not in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require a local user with sufficient privileges to invoke nfnetlink_hooks, making the attack vector local.

Generated by OpenCVE AI on April 28, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to the latest Linux kernel release that contains the netfilter BPF use‑after‑free fix
  • If an immediate kernel upgrade is not possible, restrict or disable nfnetlink_hooks usage for non‑essential users to limit the exposure of this API
  • Continuously monitor kernel logs for panic messages or KASAN reports indicating a use‑after‑free has occurred

Generated by OpenCVE AI on April 28, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.
Title netfilter: bpf: defer hook memory release until rcu readers are done
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:06:24.597Z

Reserved: 2026-01-13T15:37:46.013Z

Link: CVE-2026-23412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-02T12:16:20.270

Modified: 2026-04-27T14:16:31.043

Link: CVE-2026-23412

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T00:00:00Z

Links: CVE-2026-23412 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:00:13Z

Weaknesses