In the Linux kernel, a recent change removed the commit_mutex lock from the nf_tables reset path, creating a circular lock dependency among commit_mutex, nfnl_subsys_ipset, and nlk_cb_mutex. When nft reset, an ipset list operation, and an iptables‑nft rule using '-m set' run at the same time, the three locks can be acquired in conflicting orders, leading to a deadlock. The deadlock stalls the netfilter subsystem, causing nft or iptables commands to hang and potentially leading to a denial of service of network filtering functions.

The vulnerability affects the Linux kernel. It is present in any kernel builds that incorporate the recent patch wherein the commit_mutex lock was removed from the nf_tables reset routine. No specific release numbers are listed in the advisory, so the issue may affect all current kernel versions that have adopted this change. Administrators should check if the kernel source tree contains the referenced commits and verify whether their running kernel includes the change.

The CVSS or EPSS scores are not available, and the vulnerability is not listed in CISA’s KEV catalog. The exploit likely requires concurrent execution of nft reset, ipset list, and iptables‑nft commands with the '-m set' match. An attacker with the ability to run these commands—typically a privileged user—could trigger a deadlock that stalls network packet processing, resulting in a denial of service for network traffic. Because the attack hinges on complex concurrency and requires controlled timing, the probability of successful exploitation is considered low, but the impact if achieved is that network filtering functionality could become unresponsive.