VYPR
← All advisories
High severity7.8NVD Advisory· Published Apr 3, 2026· Updated Apr 27, 2026

CVE-2026-23458

CVE-2026-23458

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()

ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext.

The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose.

Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily.

BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133

CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace:

ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0

Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180

Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Linux kernel's ctnetlink_dump_exp_ct() due to dropped conntrack reference across dump rounds.

Vulnerability

In the Linux kernel, a use-after-free vulnerability exists in the netfilter ctnetlink subsystem. The function ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback, but releases the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple recvmsg() calls, the callback dereferences the freed conntrack, leading to a use-after-free on ct->ext [1].

Exploitation

An attacker with the ability to send crafted netlink messages can trigger this vulnerability. The attack surface is local, requiring access to the netfilter netlink socket. The attacker must initiate a dump that causes multiple rounds, causing the callback to access freed memory. No special privileges beyond the ability to create conntrack entries are needed [1].

Impact

Successful exploitation allows an attacker to read freed kernel memory, potentially leading to information disclosure or system crash. The KASAN report confirms a slab-use-after-free read, which could be leveraged for privilege escalation or denial of service [1].

Mitigation

The fix adds .start and .done callbacks to properly hold and release the conntrack reference across dump rounds, and moves the nfct_help() call after the early-return check. The patch has been applied to the Linux kernel stable branches [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.