netfilter: nft_ct: fix use-after-free in timeout object destroy

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-31665
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-24 15:16:46 UTC
Updated2026-04-24 17:51:40 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.068020000 (date 2026-04-25)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 c458fc1c278a65ad5381083121d39a479973ebed git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 c581e5c8f2b59158f62efe61c1a3dc36189081ff git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 f16fe84879a5280f05ebbcea593a189ba0f3e79a git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 070abdf1b04325b21a20a2a0c39a2208af107275 git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 b42aca3660dc2627a29a38131597ca610dc451f9 git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 d0983b48c10d1509fd795c155f8b1e832e1369ff git Not specified
CNA Linux Linux affected 7e0b2b57f01d183e1c84114f1f2287737358d748 f8dca15a1b190787bbd03285304b569631160eda git Not specified
CNA Linux Linux affected 4.19 Not specified
CNA Linux Linux unaffected 4.19 semver Not specified
CNA Linux Linux unaffected 5.10.253 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.169 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.135 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.82 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.23 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.13 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report