Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: bpf: defer hook memory release until rcu readers are done

Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
<TASK>
nfnl_hook_dump_one.isra.0+0xe71/0x10f0
netlink_dump+0x554/0x12b0
nfnl_hook_get+0x176/0x230
[..]

Defer release until after concurrent readers have completed.
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free memory corruption in the Linux kernel netfilter subsystem
Action: Apply Patch
AI Analysis

Impact

A use‑after‑free bug exists in the Linux kernel’s netfilter BPF subsystem. When a process with access to the nfnetlink_hooks interface dumps hooks concurrently, the kernel releases hook memory before RCU readers have finished, leading to kernel memory corruption. The crash and memory corruption may provide an attacker an opportunity to execute arbitrary code, though this possibility is inferred rather than explicitly stated in the advisories.

Affected Systems

The flaw affects the Linux kernel across all releases that implement the netfilter BPF component and the nfnetlink_hooks interface. No specific kernel versions are listed, so any current kernel may be impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require a local user with sufficient privileges to invoke nfnetlink_hooks, making the attack vector local.

Generated by OpenCVE AI on April 3, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to the latest Linux kernel release that contains the netfilter BPF use‑after‑free fix
  • If an immediate kernel upgrade is not possible, restrict or disable nfnetlink_hooks usage for non‑essential users to limit the exposure of this API
  • Continuously monitor kernel logs for panic messages or KASAN reports indicating a use‑after‑free has occurred

Generated by OpenCVE AI on April 3, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.
Title netfilter: bpf: defer hook memory release until rcu readers are done
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:55.700Z

Reserved: 2026-01-13T15:37:46.013Z

Link: CVE-2026-23412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T12:16:20.270

Modified: 2026-04-24T15:23:00.193

Link: CVE-2026-23412

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T00:00:00Z

Links: CVE-2026-23412 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:18Z

Weaknesses