CVE-2026-23272
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: unconditionally bump set->nelems before insertion
In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already.
To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state.
As for element updates, decrement set->nelems to restore it.
A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel netfilter nf_tables occurs when a new element is published to a full set without waiting for RCU grace period.
Vulnerability
In the Linux kernel's netfilter nf_tables subsystem, a use-after-free vulnerability exists when adding elements to a set that hashed set that has reached its maximum capacity. The root cause is that a new element is published (inserted into the set) before the set's full condition is checked, and if the set is full, the element is subsequently removed without waiting for an RCU grace period. This means an RCU reader could be traversing the set and accessing the element after it has been freed, leading to a use-after-free condition [1].
Exploitation
An attacker with the ability to add elements to an nf_tables set (which requires the CAP_NET_ADMIN capability) can trigger this bug by filling the following sequence: first, fill the set to its maximum capacity, then attempt to add another element. The kernel will insert the element, detect the set is full, and remove it without proper synchronization. The attacker does not need any special network position beyond local access to the netlink interface used for nftables configuration. The vulnerability is exploitable when the system is under load or when multiple concurrent operations are performed, increasing the chance that an RCU reader is active during the window [1].
Impact
A successful exploit could allow a local attacker to cause a use-after-free, which may lead to a kernel crash (denial of service) or potentially to arbitrary code execution in kernel context, depending on the memory layout and attacker control over the freed object. The CVSS v3 score of 7.8 (High) reflects the high impact on confidentiality, integrity, and availability, given the attacker's need for local access and low privileges [1].
Mitigation
The fix, committed to the Linux kernel stable tree, changes the behavior so that the element is added to the transaction even if the set is full, and a set_full flag is toggled to report -ENFILE. The abort path then safely unwinds the set to its previous state. For element updates, the fix decrements set->nelems to restore the count. This avoids the need for a synchronize_rcu() in the error path, which would cause performance slowdowns for large batches. Users should apply the kernel patch from the stable tree to address CVE-2026-23272 [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.