netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Summary
| CVE | CVE-2026-23458 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-03 16:16:32 UTC |
| Updated | 2026-04-18 09:16:28 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext. The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose. Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0 |
Risk And Classification
EPSS: 0.000320000 probability, percentile 0.090980000 (date 2026-04-18)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 d8cd0efbccc5cfb0a80da744a7da76e1333ab925 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 9821b47f669eb82791fa0b1a6ebaf9aa219bea72 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 bdf2724eefd4455a66863abb025bab8d3aa98c57 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 f04cc86d59906513d2d62183b882966fc0ae0390 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 f025171feef2ac65663d7986f1d5ff0c28d6b2a9 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 cd541f15b60e2257441398cf495d978f816d09f8 git | Not specified |
| CNA | Linux | Linux | affected e844a928431fa8f1359d1f4f2cef53d9b446bf52 5cb81eeda909dbb2def209dd10636b51549a3f8a git | Not specified |
| CNA | Linux | Linux | affected 3.10 | Not specified |
| CNA | Linux | Linux | unaffected 3.10 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.253 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.203 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.167 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.130 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.78 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.20 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.10 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.