netfilter: nf_tables: release flowtable after rcu grace period on error

CVE	CVE-2026-23392
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-03-25 11:16:39 UTC
Updated	2026-04-02 15:16:33 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu(). There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.023240000 (date 2026-04-03)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 3b49e2e94e6ebb8b23d0955d9e898254455734f8 d2632de96ccb066e0131ad1494241b9c281c60b8 git	Not specified
CNA	Linux	Linux	affected 3b49e2e94e6ebb8b23d0955d9e898254455734f8 adee3436ccd29f1e514c028899e400cbc6d84065 git	Not specified
CNA	Linux	Linux	affected 3b49e2e94e6ebb8b23d0955d9e898254455734f8 7e3955b282eae20d61c75e499c75eade51c20060 git	Not specified
CNA	Linux	Linux	affected 3b49e2e94e6ebb8b23d0955d9e898254455734f8 c8092edb9a11f20f95ccceeb9422b7dd0df337bd git	Not specified
CNA	Linux	Linux	affected 3b49e2e94e6ebb8b23d0955d9e898254455734f8 e78a2dcc7cfb87b64a631441ca7681492b347ef6 git	Not specified
CNA	Linux	Linux	affected 3b49e2e94e6ebb8b23d0955d9e898254455734f8 d73f4b53aaaea4c95f245e491aa5eeb8a21874ce git	Not specified
CNA	Linux	Linux	affected 4.16	Not specified
CNA	Linux	Linux	unaffected 4.16 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.20 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.10 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0-rc5 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.