VYPR
← All advisories
High severity7.8NVD Advisory· Published Mar 20, 2026· Updated Apr 2, 2026

CVE-2026-23278

CVE-2026-23278

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: always walk all pending catchall elements

During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.

If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.

Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's netfilter nf_tables, a failure to walk all pending catchall elements during transaction abort can cause a use-after-free or kernel crash.

Root

Cause

During transaction processing in the Linux kernel's netfilter nf_tables subsystem, a map may contain both a live catchall element and a pending catchall element from a new batch. When the map itself is being removed, the code incorrectly toggles only the first viable catchall element instead of iterating over all pending ones. This incomplete cleanup leads to a warning and a use-after-free in nft_data_release, as seen in the kernel panic trace [1][2].

Exploitation

The vulnerability is triggered during an abort of a netfilter transaction that involves a map with multiple catchall elements while the map is being destroyed. An attacker with the ability to craft netfilter rules (requiring CAP_NET_ADMIN) could potentially induce this condition. No special network position is required beyond local access to the netlink socket used for nf_tables configuration [3].

Impact

The bug manifests as a kernel warning and a use-after-free in nft_data_release, leading to a system crash (denial of service). While the description does not confirm privilege escalation, the use-after-free nature could, under certain memory layouts, be leveraged for arbitrary code execution. The primary impact is a denial of service on affected systems [4].

Mitigation

The fix ensures that all pending catchall elements are walked during abort, preventing the use-after-free. Patches have been applied to the stable kernel tree and are available in commits [1][2][3][4]. Users should update to the latest kernel version that includes these fixes.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.