CVE-2026-46324 - Vulnerability Details

- netfilter: nf_tables: use list_del_rcu for netlink hooks

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: use list_del_rcu for netlink hooks

nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need
to use list_del_rcu(), this list can be walked by concurrent dumpers.

Add a new helper and use it consistently.

Published: 2026-06-09

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The nf_tables subsystem in the Linux kernel unregistered hooks without using the proper RCU deletion routine, list_del_rcu. When a hook is removed, the list element can still be traversed by concurrent dumpers, allowing the element to be freed while it is being read. This can result in a null pointer dereference or memory corruption that may crash the kernel or cause a kernel panic. The weakness lies in improper synchronization of a shared data structure that is accessed concurrently.

Affected Systems

Any Linux kernel that contains the nf_tables code and has not applied the patch that introduces list_del_rcu in nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks may be vulnerable. No specific version range is listed, so all kernel releases before the application of this fix have the potential to be affected, including distribution builds that have not applied the corresponding update.

Risk and Exploitability

The CVSS score of 7.0 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need local or privileged access to trigger a race between a hook unregistration and a concurrent list traversal. While a remote exploit is not documented, the possibility of kernel instability and potential denial of service makes this a high‑risk problem for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f9a43007d3f7ba76d5e7f9421094f00f2ef202f8`	affected	< 0bd93ce4f3c35e845532184331d7917d7e562c80
`f9a43007d3f7ba76d5e7f9421094f00f2ef202f8`	affected	< 0f33e8ad6ac563ae2233dd7f75884e0ee010521d
`f9a43007d3f7ba76d5e7f9421094f00f2ef202f8`	affected	< f3224ee463f8f6f6ced7dcdf6081add4f8128527
`c73955a09408e7374d9abfd0e78ce3de9cda0635`	affected	—
`b09e6ccf0d12f9356e8e3508d3e3dce126298538`	affected	—
`3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82`	affected	—
`9c413a8c8bb49cc16796371805ecb260e885bb2b`	affected	—
`a3940dcf552f2393d1e8f263b386593f98abe829`	affected	—
`86c0154f4c3a56c5db8b9dd09e3ce885382c2c19`	affected	—
`4.19.316`	affected	< 4.20
`5.4.262`	affected	< 5.5
`5.10.198`	affected	< 5.11
`5.15.45`	affected	< 5.16
`5.17.13`	affected	< 5.18
`5.18.2`	affected	< 5.19

Linux

affected

Version	Status	Constraints
`5.19`	affected	—
`0`	unaffected	< 5.19
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1-rc2`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f9a43007d3f7ba76d5e7f9421094f00f2ef202f8,0bd93ce4f3c35e845532184331d7917d7e562c80)`	affected	code_commit	—
`[f9a43007d3f7ba76d5e7f9421094f00f2ef202f8,0f33e8ad6ac563ae2233dd7f75884e0ee010521d)`	affected	code_commit	—
`[f9a43007d3f7ba76d5e7f9421094f00f2ef202f8,f3224ee463f8f6f6ced7dcdf6081add4f8128527)`	affected	code_commit	—
`c73955a09408e7374d9abfd0e78ce3de9cda0635`	affected	code_commit	—
`b09e6ccf0d12f9356e8e3508d3e3dce126298538`	affected	code_commit	—
`3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82`	affected	code_commit	—
`9c413a8c8bb49cc16796371805ecb260e885bb2b`	affected	code_commit	—
`a3940dcf552f2393d1e8f263b386593f98abe829`	affected	code_commit	—
`86c0154f4c3a56c5db8b9dd09e3ce885382c2c19`	affected	code_commit	—
`[4.19.316,4.20)`	affected	semver	—
`[5.4.262,5.5)`	affected	semver	—
`[5.10.198,5.11)`	affected	semver	—
`[5.15.45,5.16)`	affected	semver	—
`[5.17.13,5.18)`	affected	semver	—
`[5.18.2,5.19)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.19`	affected	semver	—
`[0,5.19)`	unaffected	semver	—
`[6.18.33,6.18.*]`	unaffected	generic	—
`[7.0.10,7.0.*]`	unaffected	generic	—
`[7.1-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the patch applying list_del_rcu in nf_tables hook unregistration
If an immediate update is not feasible, avoid unloading nf_tables modules or performing hook unregistrations while concurrent dumpers may be active; keeping the hooks registered mitigates the race
Configure system policies to limit which users or processes can trigger module unloads or modify nf_tables hook state, thereby reducing the opportunity for a malicious local user to trigger the race condition

Generated by OpenCVE AI on June 10, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0bd93ce4f3c35e845532184331d7917d7e562c80
https://git.kernel.org/stable/c/0f33e8ad6ac563ae2233dd7f75884e0ee010521d
https://git.kernel.org/stable/c/f3224ee463f8f6f6ced7dcdf6081add4f8128527
https://lore.kernel.org/linux-cve-announce/2026060926-CVE-2026-46324-0e90@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46324
https://www.cve.org/CVERecord?id=CVE-2026-46324

History

Wed, 10 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026060926-CVE-2026-46324-0e90@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46324 https://www.cve.org/CVERecord?id=CVE-2026-46324
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 09 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754

Tue, 09 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use list_del_rcu for netlink hooks nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need to use list_del_rcu(), this list can be walked by concurrent dumpers. Add a new helper and use it consistently.
Title		netfilter: nf_tables: use list_del_rcu for netlink hooks
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0bd93ce4f3c35e845532184331d7917d7e562c80 https://git.kernel.org/stable/c/0f33e8ad6ac563ae2233dd7f75884e0ee010521d https://git.kernel.org/stable/c/f3224ee463f8f6f6ced7dcdf6081add4f8128527

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-09T12:11:16.602Z

Updated: 2026-06-09T12:11:16.602Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46324

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T13:16:37.893

Modified: 2026-06-09T13:16:37.893

Link: CVE-2026-46324

Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46324 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T15:30:07Z

Weaknesses

CWE-754

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object