High severity7.8NVD Advisory· Published Mar 4, 2026· Updated Apr 2, 2026

CVE-2026-23231

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between.

This creates two use-after-free conditions:

1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it.

2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain.

Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.

Affected products

Linux/Kernel
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Range: >=3.16,<6.1.165

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.8/ 10

Attack vector: Local
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Probability of exploitation in the next 30 days.

0.78%

VYPR risk score

Composite of severity, exploitation, and reach.

0.54high

cvss	0.507
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-416
Use After Free

CVE ID

CVE-2026-23231