{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23392", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-25T10:33:16.647Z", "dateUpdated": "2026-03-25T10:33:16.647Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:33:16.647Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "d2632de96ccb066e0131ad1494241b9c281c60b8", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "adee3436ccd29f1e514c028899e400cbc6d84065", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "7e3955b282eae20d61c75e499c75eade51c20060", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "c8092edb9a11f20f95ccceeb9422b7dd0df337bd", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "e78a2dcc7cfb87b64a631441ca7681492b347ef6", "status": "affected", "versionType": "git"}, {"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8", "lessThan": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "4.16", "status": "affected"}, {"version": "0", "lessThan": "4.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"}, {"url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"}, {"url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"}, {"url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"}, {"url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"}, {"url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"}], "title": "netfilter: nf_tables: release flowtable after rcu grace period on error", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."}], "id": "CVE-2026-23392", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:39.873", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: nf_tables: release flowtable after rcu grace period on error", "id": "2451218", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451218"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. An error in releasing a flowtable after an RCU (Read-Copy-Update) grace period could lead to a use-after-free vulnerability. This issue could expose the flowtable to the packet path and nfnetlink_hook control plane, potentially allowing a local attacker to cause a system crash (Denial of Service) or achieve arbitrary code execution."], "name": "CVE-2026-23392", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23392\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23392\nhttps://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-23392-fd9d@gregkh/T"], "statement": "This flaw affects nftables flowtable configurations. When flowtable setup fails (max hooks reached, hardware offload failure, or duplicate device), the error path frees the flowtable without synchronize_rcu(), allowing concurrent access from packet path or nfnetlink_hook. KASAN detected this as UAF during hook dumping.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,d2632de96ccb066e0131ad1494241b9c281c60b8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,adee3436ccd29f1e514c028899e400cbc6d84065)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,7e3955b282eae20d61c75e499c75eade51c20060)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,c8092edb9a11f20f95ccceeb9422b7dd0df337bd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,e78a2dcc7cfb87b64a631441ca7681492b347ef6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3b49e2e94e6ebb8b23d0955d9e898254455734f8,d73f4b53aaaea4c95f245e491aa5eeb8a21874ce)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:36:56.934444+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the nf_tables RCU synchronization fix (commits 7e3955b, e78a2dc, and related changes).", "If a kernel upgrade is not immediately possible, temporarily disable nf_tables flowtable features or restrict hook registration until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Use\u2011After\u2011Free in Linux kernel nf_tables resulting in kernel crash or memory corruption"}, "threat_synthesis": {"affected_systems": "All versions of the Linux kernel that include the nf_tables module and lack the commit changes linked in the advisory are vulnerable. Any distribution shipping an unpatched kernel that uses nf_tables is affected, regardless of distribution or release version.", "description_and_impact": "The defect resides in the netfilter nf_tables subsystem of the Linux kernel, where a flowtable can be released without first synchronizing the RCU grace period on an error path. Because the flowtable may still be referenced by packet processing or the nfnetlink control plane, the kernel may access freed memory, creating a use\u2011after\u2011free condition. This can lead to illegal memory reads or writes, potentially destabilizing the kernel or corrupting kernel data structures.", "risk_and_exploitability": "The CVSS score of 7.0 reflects moderate to high severity, while the EPSS score of less than 1% indicates that the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely available exploits. Exploitation requires triggering the rare error path, such as exceeding the maximum number of hooks or encountering a hardware offload failure. Overall, the risk is moderate with a low probability of exploitation but potentially high impact if the flaw is triggered."}}}}, "created": "2026-03-25T21:31:24.063318+00:00", "updated": "2026-03-27T09:47:15.245693+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}