CVE-2026-23274
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A netfilter xt_IDLETIMER bug allows revision 0 rules to call mod_timer() on an uninitialized timer_list when reusing alarm-type labels from revision 1, causing debugobject warnings or panic.
Vulnerability
Overview CVE-2026-23274 is a vulnerability in the Linux kernel's netfilter xt_IDLETIMER module. The root cause is that IDLETIMER revision 0 rules reuse existing timers by label and unconditionally call mod_timer() on the timer structure. However, if the label was first created by revision 1 with the XT_IDLETIMER_ALARM flag set, the timer uses alarm semantics and its timer_list field (timer->timer) is never initialized. When a revision 0 rule subsequently reuses that label, it invokes mod_timer() on an uninitialized timer_list, leading to debugobject warnings and, if panic_on_warn=1 is set, a possible kernel panic.
Attack
Vector and Prerequisites Exploitation requires the ability to insert xt_IDLETIMER netfilter rules, which typically demands root privileges (CAP_NET (or CAP_NET_ADMIN). While an unprivileged user cannot directly trigger this, a privileged administrator or a compromised system service with netfilter capabilities can create a revision 1 ALARM timer and then insert a revision 0 rule reusing the same label, causing the undefined behavior.
Impact
The primary impact is a denial of service (system crash or panic) due to the kernel warning or panic. The CVSS v3 score is 7.8 (High), reflecting the potential for full availability loss. There is no indication of memory corruption exploitable for code execution beyond the panic condition.
Mitigation
Status The fix [1] has been committed to the stable kernel tree and is expected to be included in subsequent stable releases. The patch rejects revision 0 rule insertion when an existing timer with the same label is of ALARM type. System administrators should apply the relevant kernel update as soon as possible. No workaround is currently available for unpatched kernels.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeecnvd
- git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9nvd
- git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cfnvd
- git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44nvd
- git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491nvd
- git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9nvd
- git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309nvd
- git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1nvd
News mentions
0No linked articles in our index yet.