{"api_version":"1","generated_at":"2026-04-26T00:14:19+00:00","cve":"CVE-2026-31665","urls":{"html":"https://cve.report/CVE-2026-31665","api":"https://cve.report/api/cve/CVE-2026-31665.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31665","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31665"},"summary":{"title":"netfilter: nft_ct: fix use-after-free in timeout object destroy","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n  nf_conntrack_tcp_packet+0x1381/0x29d0\n  nf_conntrack_in+0x612/0x8b0\n  nf_hook_slow+0x70/0x100\n  __ip_local_out+0x1b2/0x210\n  tcp_sendmsg_locked+0x722/0x1580\n  __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n  nft_ct_timeout_obj_init+0xf6/0x290\n  nft_obj_init+0x107/0x1b0\n  nf_tables_newobj+0x680/0x9c0\n  nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n  nft_obj_destroy+0x3f/0xa0\n  nf_tables_trans_destroy_work+0x51c/0x5c0\n  process_one_work+0x2c4/0x5a0","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-24 15:16:46","updated_at":"2026-04-24 17:51:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed","name":"https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77","name":"https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff","name":"https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9","name":"https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275","name":"https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda","name":"https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a","name":"https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff","name":"https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31665","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31665","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 c458fc1c278a65ad5381083121d39a479973ebed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 c581e5c8f2b59158f62efe61c1a3dc36189081ff git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 f16fe84879a5280f05ebbcea593a189ba0f3e79a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 070abdf1b04325b21a20a2a0c39a2208af107275 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 b42aca3660dc2627a29a38131597ca610dc451f9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 d0983b48c10d1509fd795c155f8b1e832e1369ff git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0b2b57f01d183e1c84114f1f2287737358d748 f8dca15a1b190787bbd03285304b569631160eda git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.169 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.135 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.82 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.23 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.13 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31665","cve":"CVE-2026-31665","epss":"0.000240000","percentile":"0.068020000","score_date":"2026-04-25","updated_at":"2026-04-26 00:00:20"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/net/netfilter/nf_conntrack_timeout.h","net/netfilter/nft_ct.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c458fc1c278a65ad5381083121d39a479973ebed","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"c581e5c8f2b59158f62efe61c1a3dc36189081ff","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"f16fe84879a5280f05ebbcea593a189ba0f3e79a","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"070abdf1b04325b21a20a2a0c39a2208af107275","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"b42aca3660dc2627a29a38131597ca610dc451f9","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"d0983b48c10d1509fd795c155f8b1e832e1369ff","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"},{"lessThan":"f8dca15a1b190787bbd03285304b569631160eda","status":"affected","version":"7e0b2b57f01d183e1c84114f1f2287737358d748","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/net/netfilter/nf_conntrack_timeout.h","net/netfilter/nft_ct.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.19"},{"lessThan":"4.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.169","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.135","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.82","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.23","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.169","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.135","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.82","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.23","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.13","versionStartIncluding":"4.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"4.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n  nf_conntrack_tcp_packet+0x1381/0x29d0\n  nf_conntrack_in+0x612/0x8b0\n  nf_hook_slow+0x70/0x100\n  __ip_local_out+0x1b2/0x210\n  tcp_sendmsg_locked+0x722/0x1580\n  __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n  nft_ct_timeout_obj_init+0xf6/0x290\n  nft_obj_init+0x107/0x1b0\n  nf_tables_newobj+0x680/0x9c0\n  nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n  nft_obj_destroy+0x3f/0xa0\n  nf_tables_trans_destroy_work+0x51c/0x5c0\n  process_one_work+0x2c4/0x5a0"}],"providerMetadata":{"dateUpdated":"2026-04-24T14:45:14.613Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed"},{"url":"https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff"},{"url":"https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a"},{"url":"https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275"},{"url":"https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77"},{"url":"https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9"},{"url":"https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff"},{"url":"https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda"}],"title":"netfilter: nft_ct: fix use-after-free in timeout object destroy","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31665","datePublished":"2026-04-24T14:45:14.613Z","dateReserved":"2026-03-09T15:48:24.129Z","dateUpdated":"2026-04-24T14:45:14.613Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 15:16:46","lastModifiedDate":"2026-04-24 17:51:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31665","Ordinal":"1","Title":"netfilter: nft_ct: fix use-after-free in timeout object destroy","CVE":"CVE-2026-31665","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31665","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n  nf_conntrack_tcp_packet+0x1381/0x29d0\n  nf_conntrack_in+0x612/0x8b0\n  nf_hook_slow+0x70/0x100\n  __ip_local_out+0x1b2/0x210\n  tcp_sendmsg_locked+0x722/0x1580\n  __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n  nft_ct_timeout_obj_init+0xf6/0x290\n  nft_obj_init+0x107/0x1b0\n  nf_tables_newobj+0x680/0x9c0\n  nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n  nft_obj_destroy+0x3f/0xa0\n  nf_tables_trans_destroy_work+0x51c/0x5c0\n  process_one_work+0x2c4/0x5a0","Type":"Description","Title":"netfilter: nft_ct: fix use-after-free in timeout object destroy"}]}}}