Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack: destroy stale expectfn expectations on unregister

NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.

When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:

Oops: int3: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:0xffffffffa06102d1
init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
nf_hook_slow (net/netfilter/core.c:619)
__ip_local_out (net/ipv4/ip_output.c:120)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
tcp_connect (net/ipv4/tcp_output.c:4374)
tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
__sys_connect (net/socket.c:2167)
Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]

Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.

Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops.
Published: 2026-07-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free vulnerability exists in the netfilter nf_conntrack subsystem of the Linux kernel. When a NAT helper module such as nf_nat_h323 is unloaded while expectations that reference the helper’s callback function remain active, the kernel fails to clean up those expectation entries. As a result, later packets that match the pending expectation trigger a kernel call to a freed module function, causing an oops and a kernel crash. This flaw leads only to a denial of service on the affected host and cannot presently be turned into remote code execution.

Affected Systems

Systems running the Linux kernel with the netfilter nf_conntrack module, and any NAT helper modules that register expectations (e.g., nf_nat_h323), are impacted. This includes standard kernel deployments that ship these modules as either built‑in or loadable modules. No specific kernel version ranges are provided; the fix was merged into the mainline, so any kernel version before the patch that includes these modules is vulnerable as long as the module is loaded and its expectations are not cleaned upon unload.

Risk and Exploitability

The exploit requires the ability to unload kernel modules, which is protected by the CAP_SYS_MODULE capability. Therefore only privileged users or privileged kernel code can trigger the flaw. With the vulnerable state, an attacker can cause a kernel crash, leading to a reboot or out‑of‑service state, but does not gain arbitrary code execution or data exfiltration. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, indicating limited real‑world exploitation to date. The CVSS score is not supplied in the data, but given the denial‑of‑service impact and privileged‑only vector, the vulnerability carries a moderate to high risk for affected deployments.

Generated by OpenCVE AI on July 1, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates the nf_ct_helper_expectfn_destroy patch to clean expectations on helper unload.
  • If a newer kernel is not immediately available, avoid unloading any nf_nat_* helpers while pending expectations exist; ensure all expectations are cleared before module removal.
  • Disable or remove unnecessary NAT helper modules until the kernel patch is applied, so that the vulnerable code path cannot be exercised.

Generated by OpenCVE AI on July 1, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 01 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: destroy stale expectfn expectations on unregister NAT helpers such as nf_nat_h323 store a raw pointer to module text in exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister() only unlinks the callback descriptor and never walks the expectation table, so an expectation pending at module removal survives with a dangling exp->expectfn into freed module text. When the expected connection arrives, init_conntrack() invokes exp->expectfn(), now a stale pointer into the unloaded module. Reproduced on a KASAN build by loading the H.323 helpers, creating a Q.931 expectation, unloading nf_nat_h323, then connecting to the expected port: Oops: int3: 0000 [#1] SMP KASAN NOPTI RIP: 0010:0xffffffffa06102d1 init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862) nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049) ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223) nf_hook_slow (net/netfilter/core.c:619) __ip_local_out (net/ipv4/ip_output.c:120) __tcp_transmit_skb (net/ipv4/tcp_output.c:1715) tcp_connect (net/ipv4/tcp_output.c:4374) tcp_v4_connect (net/ipv4/tcp_ipv4.c:345) __sys_connect (net/socket.c:2167) Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323] Reaching the dangling state requires CAP_SYS_MODULE in the initial user namespace to remove a NAT helper that still has live expectations, so this is a robustness fix; leaving an expectation pointing at freed text is wrong regardless. Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and drops every expectation whose ->expectfn matches the descriptor being torn down. Call it from each NAT helper's exit path after the existing RCU grace period, so no expectation outlives the code it points at and no extra synchronize_rcu() is introduced. With the fix, the same reproducer runs to completion without the Oops.
Title netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:27.412Z

Reserved: 2026-06-09T07:44:35.399Z

Link: CVE-2026-53349

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-01T00:00:00Z

Links: CVE-2026-53349 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T23:30:17Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference