CVE-2026-31414
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_expect: use expect->helper
Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe.
Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's netfilter connection tracking expectations system can lead to local privilege escalation.
Vulnerability
This is a use-after-free vulnerability in the Linux kernel's netfilter subsystem, specifically in the nf_conntrack_expect functionality. The root cause is that the code in ctnetlink and /proc used nfct_help() to dump the helper name without holding a reference to the master conntrack. This can lead to a use-after-free scenario when the master conntrack is freed while the expectation still references it.
Exploitation
The attack surface is local, requiring the attacker to have the ability to create and manage netfilter expectations via ctnetlink or other means. The attacker does not need to hold any special authentication beyond being able to interact with the netfilter system. The vulnerability is triggered when the system dumps the helper name for an expectation after the master conntrack has been freed.
Impact
An attacker who successfully exploits this use-after-free could potentially execute arbitrary code in kernel context, leading to full system compromise. This includes the ability to install programs, view, change, or delete data, or create new accounts with full user rights.
Mitigation
The fix is included in the Linux kernel stable branches as commit [1][2][3][4]. Users should apply the latest kernel updates to remediate this vulnerability. No workaround is known.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/3dfd3f7712b5a800f2ba632179e9b738076a51f0nvdPatch
- git.kernel.org/stable/c/4bd1b3d839172724b33d8d02c5a4ff6a1c775417nvdPatch
- git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781nvdPatch
- git.kernel.org/stable/c/b53294bff19e56ada2f230ceb8b1ffde61cc3817nvdPatch
- git.kernel.org/stable/c/e7ccaa0a62a8ff2be5d521299ce79390c318d306nvdPatch
- git.kernel.org/stable/c/f01794106042ee27e54af6fdf5b319a2fe3df94dnvdPatch
News mentions
1- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026