Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: bpf: defer hook memory release until rcu readers are done

Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
<TASK>
nfnl_hook_dump_one.isra.0+0xe71/0x10f0
netlink_dump+0x554/0x12b0
nfnl_hook_get+0x176/0x230
[..]

Defer release until after concurrent readers have completed.
Published: 2026-04-02
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free leading to kernel crash
Action: Patch
AI Analysis

Impact

A use‑after‑free issue in the Linux kernel’s netfilter BPF subsystem occurs when a concurrent process dumps hook information via nfnetlink_hooks. The flaw leads to a slab‑use‑after‑free detected by KASAN, triggering a kernel memory read that can cause a crash. The nature of the bug is a kernel memory corruption that manifests as a denial‑of‑service through system reboot or loss of service.

Affected Systems

The vulnerability affects the Linux kernel, specifically the netfilter BPF code path that handles nfnetlink hook dumping. No exact kernel version information is provided in the advisory, so any kernel release that incorporates the affected code before the patch is potentially impacted.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score is reported as less than 1 % and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local: an attacker that can send nfnetlink hook dump requests may trigger the flaw. The risk is primarily a denial‑of‑service via kernel crash, and no explicit claim of privilege escalation can be made from the available information.

Generated by OpenCVE AI on April 2, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the upstream patch that defers hook memory release until RCU readers finish.
  • Upgrade the Linux kernel to a version containing the fix.
  • If an upgrade is not possible, monitor vendor advisories for a patch release.

Generated by OpenCVE AI on April 2, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.
Title netfilter: bpf: defer hook memory release until rcu readers are done
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T11:40:53.528Z

Reserved: 2026-01-13T15:37:46.013Z

Link: CVE-2026-23412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T12:16:20.270

Modified: 2026-04-02T12:16:20.270

Link: CVE-2026-23412

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T00:00:00Z

Links: CVE-2026-23412 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:31Z

Weaknesses