Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_counter: serialize reset with spinlock

Add a global static spinlock to serialize counter fetch+reset
operations, preventing concurrent dump-and-reset from underrunning
values.

The lock is taken before fetching the total so that two parallel
resets cannot both read the same counter values and then both
subtract them.

A global lock is used for simplicity since resets are infrequent.
If this becomes a bottleneck, it can be replaced with a per-net
lock later.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a race condition in the netfilter nft_counter subsystem where concurrent dump and reset operations were performed without proper synchronization. The missing serialization caused different threads to read the same counter values and subtract them twice, resulting in counters being under‑reported. This can produce inaccurate packet accounting for firewall rules and potentially hide malicious traffic or affect traffic‑shaping decisions.

Affected Systems

The affected product is the Linux kernel across all distributions and releases that include the netfilter nft_counter code path. Any system running a kernel build prior to the patch that performs concurrent counter operations is vulnerable. The fix is available in kernel versions that incorporate the patch adding a global static spinlock around fetch+reset operations.

Risk and Exploitability

Explicit metrics such as CVSS or EPSS are not provided for this CVE. The issue is a local kernel race condition that does not directly enable remote code execution or privilege escalation, but it does corrupt internal counter state. Because it is confined to the kernel, exploitation requires local access and kernel knowledge, and it is not listed in CISA’s KEV catalog. The risk level is considered low to moderate, with the primary concern being data integrity rather than an attacker‑controlled service disruption.

Generated by OpenCVE AI on May 27, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that contains the nft_counter reset serialization patch
  • Restart networking services or reboot the system to load the updated kernel images
  • If upgrading is not immediately possible, limit or disable use of nft_counter rulesets to prevent concurrent counter operations until the patch is applied

Generated by OpenCVE AI on May 27, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_counter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them. A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later.
Title netfilter: nft_counter: serialize reset with spinlock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:07.038Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45897

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.977

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:30:26Z

Weaknesses