Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_counter: serialize reset with spinlock

Add a global static spinlock to serialize counter fetch+reset
operations, preventing concurrent dump-and-reset from underrunning
values.

The lock is taken before fetching the total so that two parallel
resets cannot both read the same counter values and then both
subtract them.

A global lock is used for simplicity since resets are infrequent.
If this becomes a bottleneck, it can be replaced with a per-net
lock later.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a race condition in the netfilter nft_counter subsystem where simultaneous dump and reset operations occur without proper synchronization. Without serialization, two parallel resets can each read the same counter totals and subtract them twice, causing the counters to fall below the true values. The consequence is misleading firewall accounting, which can hide malicious traffic or lead to incorrect traffic‑shaping decisions, thereby compromising data integrity for network administrators.

Affected Systems

All systems running the Linux kernel that include the netfilter nft_counter code path are affected. Any distribution or release with a kernel build before the patch that allows concurrent counter operations is vulnerable. The fix is implemented in the kernel via a global static spinlock that serializes fetch‑and‑reset calls.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% shows that the likelihood of exploitation is very low. Since the flaw is a kernel‑level race condition, it requires local or kernel‑privileged access and does not provide a pathway to remote code execution or privilege escalation. The vulnerability is not listed in CISA’s KEV catalog, and the primary impact is on the accuracy of firewall counters rather than on system availability.

Generated by OpenCVE AI on May 28, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the nft_counter reset serialization patch
  • Reboot or reload networking services to load the updated kernel and activate the spinlock protection
  • If upgrading is not immediately possible, limit or disable use of nft_counter rules that generate concurrent counter operations until the patch is applied

Generated by OpenCVE AI on May 28, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_counter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them. A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later.
Title netfilter: nft_counter: serialize reset with spinlock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:07.038Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45897

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.977

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45897

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45897 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:15:04Z

Weaknesses