Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nat: use kfree_rcu to release ops

Florian Westphal says:

"Historically this is not an issue, even for normal base hooks: the data
path doesn't use the original nf_hook_ops that are used to register the
callbacks.

However, in v5.14 I added the ability to dump the active netfilter
hooks from userspace.

This code will peek back into the nf_hook_ops that are available
at the tail of the pointer-array blob used by the datapath.

The nat hooks are special, because they are called indirectly from
the central nat dispatcher hook. They are currently invisible to
the nfnl hook dump subsystem though.

But once that changes the nat ops structures have to be deferred too."

Update nf_nat_register_fn() to deal with partial exposition of the hooks
from error path which can be also an issue for nfnetlink_hook.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Netfilter NAT subsystem of the Linux kernel. When NAT hook structures are freed with kfree_rcu, the nfnetlink hook dump subsystem may still reference the memory, leading to a dangling pointer that can corrupt kernel memory or trigger a crash. The official narrative does not indicate arbitrary code execution or privilege escalation, so the impact is primarily limited to memory corruption and potential denial of service.

Affected Systems

All Linux kernel releases incorporating the Netfilter NAT hook subsystem prior to the nf_nat_register_fn patch are affected. The issue first materialized in kernel version 5.14 when userspace hook dumping was added, and any distribution shipping an unpatched kernel in that range remains vulnerable until the fix is applied. The vulnerable code path is present in the general Linux kernel tree.

Risk and Exploitability

The CVSS score of 7.8 reflects moderate severity, while the EPSS score of < 1% indicates a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring an actor to invoke the nfnetlink hook dump interface; there is no documented remote exposure. Exploitation would exploit the dangling reference for memory corruption, potentially in a privileged context if the attacker gains elevated Linux rights, but no direct privilege escalation paths are evident in the description.

Generated by OpenCVE AI on June 28, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the nf_nat_register_fn patch, which removes the use‑after‑free in the Netfilter NAT subsystem.
  • If a kernel upgrade cannot occur immediately, disable the nfnetlink hook dump interface or configure the kernel to hide NAT hook exposure, thereby preventing dangling references from being exported to userspace; this aligns with CWE‑763 mitigation by avoiding improper sharing of resources.
  • Enable kernel hardening options such as CONFIG_RCU, KASLR, or other sandboxing features, and monitor system logs for hang or oops events that may indicate exploitation attempts.

Generated by OpenCVE AI on June 28, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nat: use kfree_rcu to release ops Florian Westphal says: "Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks. However, in v5.14 I added the ability to dump the active netfilter hooks from userspace. This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath. The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though. But once that changes the nat ops structures have to be deferred too." Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.
Title netfilter: nat: use kfree_rcu to release ops
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:45:26.615Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-53000

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53000 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-763

    Release of Invalid Pointer or Reference