Impact
A use‑after‑free vulnerability exists in the netfilter nf_conntrack subsystem of the Linux kernel. When a NAT helper module such as nf_nat_h323 is unloaded while expectations that reference the helper’s callback function remain active, the kernel fails to clean up those expectation entries. As a result, later packets that match the pending expectation trigger a kernel call to a freed module function, causing an oops and a kernel crash. This flaw leads only to a denial of service on the affected host and cannot presently be turned into remote code execution.
Affected Systems
Systems running the Linux kernel with the netfilter nf_conntrack module, and any NAT helper modules that register expectations (e.g., nf_nat_h323), are impacted. This includes standard kernel deployments that ship these modules as either built‑in or loadable modules. No specific kernel version ranges are provided; the fix was merged into the mainline, so any kernel version before the patch that includes these modules is vulnerable as long as the module is loaded and its expectations are not cleaned upon unload.
Risk and Exploitability
The exploit requires the ability to unload kernel modules, which is protected by the CAP_SYS_MODULE capability. Therefore only privileged users or privileged kernel code can trigger the flaw. With the vulnerable state, an attacker can cause a kernel crash, leading to a reboot or out‑of‑service state, but does not gain arbitrary code execution or data exfiltration. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, indicating limited real‑world exploitation to date. The CVSS score is not supplied in the data, but given the denial‑of‑service impact and privileged‑only vector, the vulnerability carries a moderate to high risk for affected deployments.
OpenCVE Enrichment