Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nat: use kfree_rcu to release ops

Florian Westphal says:

"Historically this is not an issue, even for normal base hooks: the data
path doesn't use the original nf_hook_ops that are used to register the
callbacks.

However, in v5.14 I added the ability to dump the active netfilter
hooks from userspace.

This code will peek back into the nf_hook_ops that are available
at the tail of the pointer-array blob used by the datapath.

The nat hooks are special, because they are called indirectly from
the central nat dispatcher hook. They are currently invisible to
the nfnl hook dump subsystem though.

But once that changes the nat ops structures have to be deferred too."

Update nf_nat_register_fn() to deal with partial exposition of the hooks
from error path which can be also an issue for nfnetlink_hook.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from deferring the release of netfilter NAT hook structures with kfree_rcu, allowing the nfnetlink hook dump subsystem to access freed memory. This results in a use‑after‑free condition that can corrupt kernel memory or trigger a crash. The CVE description does not indicate arbitrary code execution, only memory corruption potential.

Affected Systems

Linux kernel versions starting with 5.14 that include the netfilter NAT hook subsystem are affected. Any distribution shipping an unpatched kernel in this version range may be impacted.

Risk and Exploitability

No CVSS or EPSS data are available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local; a user with access to the nfnetlink hook dump interface can trigger the use‑after‑free. Exploitation may lead to memory corruption and kernel instability, but the description does not confirm privilege escalation or code execution.

Generated by OpenCVE AI on June 24, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the nf_nat_register_fn patch
  • If an upgrade is not possible, disable the nfnetlink hook dump interface or configure the kernel to omit NAT hook exposure
  • Monitor system logs for kernel crashes or use‑after‑free related errors

Generated by OpenCVE AI on June 24, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nat: use kfree_rcu to release ops Florian Westphal says: "Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks. However, in v5.14 I added the ability to dump the active netfilter hooks from userspace. This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath. The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though. But once that changes the nat ops structures have to be deferred too." Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.
Title netfilter: nat: use kfree_rcu to release ops
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:12.635Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-53000

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:15:03Z

Weaknesses

No weakness.