CVE-2026-23139
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: update last_gc only when GC has been performed
Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causing the list to grow infinitely.
Update the last_gc value only when a GC has been actually performed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's nf_conncount module, a logic flaw causes the garbage collector to be bypassed under high packet rates, leading to unbounded connection list growth.
Root
Cause
The vulnerability resides in the Linux kernel's netfilter connection tracking subsystem (nf_conncount). The last_gc timestamp, which controls when the garbage collector (GC) runs, was being updated on every new connection tracking event, regardless of whether a GC cycle was actually performed [1]. This means that under a sufficiently high packet rate, the GC could be perpetually skipped because last_gc was always refreshed before the GC threshold was reached.
Exploitation
An attacker can exploit this by generating a high rate of new connections (e.g., via rapid-fire SYN packets or other connection-establishing traffic) that target a system using nf_conncount. Because last_gc is updated with each new connection, the GC never triggers, allowing the connection tracking the connection list grows without bound [1]. No authentication is required if the attacker can send network traffic to the victim host; the attack surface is the network-facing connection tracking infrastructure.
Impact
If the connection list grows infinitely, it will consume an ever-increasing amount of kernel memory. This can lead to resource exhaustion. This can cause denial of service (DoS) by starving the system of memory or by triggering out-of-memory conditions, potentially crashing the host or making it unresponsive [1]. The CVSS v3 score of 7.5 (High) reflects the ease of triggering this condition and the severity of the resulting DoS.
Mitigation
The fix, committed to the Linux kernel stable tree, updates last_gc only when a GC cycle has actually been performed [1]. This ensures that the GC runs at the intended interval intervals regardless of connection rate. Users should apply the patched kernel version containing commit 8bdafdf49000 (or equivalent backports) to remediate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.19,<6.1.161
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/26a82dce2beee39c43c109d9647e16f49cb02a35nvdPatch
- git.kernel.org/stable/c/2c7c71113ed6d3e2f3aca4c088f22283016ff34fnvdPatch
- git.kernel.org/stable/c/3cd717359e56f82f06cbf8279b47a7d79880c6f3nvdPatch
- git.kernel.org/stable/c/7811ba452402d58628e68faedf38745b3d485e3cnvdPatch
- git.kernel.org/stable/c/8bdafdf4900040a81422056cabe5e00a37bd101anvdPatch
- git.kernel.org/stable/c/9f45588993d7f115280fc726119ca86fba32a811nvdPatch
- git.kernel.org/stable/c/c4cde57c8affdcca5bcff53a1047e15d268bdca1nvdPatch
News mentions
0No linked articles in our index yet.