CVE-2026-23399
Description
In the Linux kernel, the following vulnerability has been resolved:
nf_tables: nft_dynset: fix possible stateful expression memleak in error path
If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released.
unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_noprof+0x453/0xd80 nft_counter_clone+0x9c/0x190 [nf_tables] nft_expr_clone+0x8f/0x1b0 [nf_tables] nft_dynset_new+0x2cb/0x5f0 [nf_tables] nft_rhash_update+0x236/0x11c0 [nf_tables] nft_dynset_eval+0x11f/0x670 [nf_tables] nft_do_chain+0x253/0x1700 [nf_tables] nft_do_chain_ipv4+0x18d/0x270 [nf_tables] nf_hook_slow+0xaa/0x1e0 ip_local_deliver+0x209/0x330
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's nft_dynset, a memory leak occurs when cloning a second stateful expression fails, causing resource exhaustion.
Vulnerability
Description
The vulnerability resides in the dynamic set (nft_dynset) implementation of the Linux kernel's netfilter framework. When adding a new element to a dynamic set, the kernel clones stateful expressions (such as counters) for the element. If cloning the second stateful expression fails (e.g., due to memory pressure), the first cloned expression is not freed, leading to a memory leak [1]. The backtrace shows the leak occurring via nft_counter_clone and nft_dynset_new functions.
Exploitation
An attacker with the ability to trigger dynamic set operations in nftables can exploit this vulnerability. Prerequisites include having the CAP_NET_ADMIN capability or being able to inject nftables rules that cause dynamic set updates. The attacker can repeatedly trigger the error path by exhausting memory (e.g., using GFP_ATOMIC allocation failures) to cause the leak, eventually depleting system memory.
Impact
Successful exploitation leads to a gradual memory leak, which can result in denial of service (DoS) due to resource exhaustion. The kernel may become unresponsive or crash when memory is exhausted. The CVSS v3 score is 5.5 (Medium), indicating a moderate severity with local access required.
Mitigation
The Linux kernel has released patches that fix the memory leak by ensuring the first expression is released if the second clone fails. The fix has been applied to multiple stable kernel branches [1][2][3][4]. Users should update to the latest patched kernel versions to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.11.1,<6.12.78
- cpe:2.3:o:linux:linux_kernel:5.11:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43nvdPatch
- git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58efnvdPatch
- git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941ccanvdPatch
- git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21nvdPatch
- git.kernel.org/stable/c/e6661add2d9c6913e1dad97336595e23a2bed195nvd
News mentions
0No linked articles in our index yet.