CVE-2026-23231
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
111- osv-coords109 versionspkg:rpm/almalinux/bpftoolpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rvpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_11&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7
< 4.18.0-553.117.1.el8_10+ 108 more
- (no CPE)range: < 4.18.0-553.117.1.el8_10
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 6.12.0-124.47.1.el10_1
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 6.12.0-124.47.1.el10_1
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 6.12.0-124.47.1.el10_1
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 5.14.0-611.47.1.el9_7
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.27.1.160000.2.8
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.19.8-1.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1.21.18
- (no CPE)range: < 6.4.0-41.1.21.18
- (no CPE)range: < 6.12.0-160000.27.1.160000.2.8
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 1-150700.1.3.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-150700.7.37.2
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-150700.7.37.2
- (no CPE)range: < 6.4.0-150700.7.37.1
Patches
Vulnerability mechanics
References
7- git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33nvdPatch
- git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4bnvdPatch
- git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81nvdPatch
- git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533nvdPatch
- git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28nvdPatch
- git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400anvdPatch
- cert-portal.siemens.com/productcert/html/ssa-253495.htmlnvd
News mentions
0No linked articles in our index yet.