CVE-2026-23458 (GCVE-0-2026-23458)

Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
Title
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext. The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose. Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < d8cd0efbccc5cfb0a80da744a7da76e1333ab925 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 9821b47f669eb82791fa0b1a6ebaf9aa219bea72 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < bdf2724eefd4455a66863abb025bab8d3aa98c57 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < f04cc86d59906513d2d62183b882966fc0ae0390 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < f025171feef2ac65663d7986f1d5ff0c28d6b2a9 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < cd541f15b60e2257441398cf495d978f816d09f8 (git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 5cb81eeda909dbb2def209dd10636b51549a3f8a (git)
Create a notification for this product.
Linux Linux Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.20 , ≤ 6.18.* (semver)
Unaffected: 6.19.10 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d8cd0efbccc5cfb0a80da744a7da76e1333ab925",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "9821b47f669eb82791fa0b1a6ebaf9aa219bea72",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "bdf2724eefd4455a66863abb025bab8d3aa98c57",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "f04cc86d59906513d2d62183b882966fc0ae0390",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "f025171feef2ac65663d7986f1d5ff0c28d6b2a9",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "cd541f15b60e2257441398cf495d978f816d09f8",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            },
            {
              "lessThan": "5cb81eeda909dbb2def209dd10636b51549a3f8a",
              "status": "affected",
              "version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start().  When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct-\u003eext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds.  Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n  \u003cTASK\u003e\n  ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n  netlink_dump+0x333/0x880\n  netlink_recvmsg+0x3e2/0x4b0\n  ? aa_sk_perm+0x184/0x450\n  sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n  kmem_cache_alloc_noprof+0x134/0x440\n  __nf_conntrack_alloc+0xa8/0x2b0\n  ctnetlink_create_conntrack+0xa1/0x900\n  ctnetlink_new_conntrack+0x3cf/0x7d0\n  nfnetlink_rcv_msg+0x48e/0x510\n  netlink_rcv_skb+0xc9/0x1f0\n  nfnetlink_rcv+0xdb/0x220\n  netlink_unicast+0x3ec/0x590\n  netlink_sendmsg+0x397/0x690\n  __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n  slab_free_after_rcu_debug+0xad/0x1e0\n  rcu_core+0x5c3/0x9c0"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:07:22.715Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"
        },
        {
          "url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"
        },
        {
          "url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"
        },
        {
          "url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"
        }
      ],
      "title": "netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23458",
    "datePublished": "2026-04-03T15:15:39.041Z",
    "dateReserved": "2026-01-13T15:37:46.021Z",
    "dateUpdated": "2026-05-11T22:07:22.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23458",
      "date": "2026-05-25",
      "epss": "0.00015",
      "percentile": "0.03632"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23458\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-03T16:16:32.647\",\"lastModified\":\"2026-04-27T14:16:34.343\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\\n\\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\\nconntrack reference immediately after netlink_dump_start().  When the\\ndump spans multiple rounds, the second recvmsg() triggers the dump\\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\\nleading to a use-after-free on ct-\u003eext.\\n\\nThe bug is that the netlink_dump_control has no .start or .done\\ncallbacks to manage the conntrack reference across dump rounds.  Other\\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\\nuse .start/.done callbacks for this purpose.\\n\\nFix this by adding .start and .done callbacks that hold and release the\\nconntrack reference for the duration of the dump, and move the\\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\\n\\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\\n\\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\\n Call Trace:\\n  \u003cTASK\u003e\\n  ctnetlink_exp_ct_dump_table+0x4f/0x2e0\\n  netlink_dump+0x333/0x880\\n  netlink_recvmsg+0x3e2/0x4b0\\n  ? aa_sk_perm+0x184/0x450\\n  sock_recvmsg+0xde/0xf0\\n\\n Allocated by task 133:\\n  kmem_cache_alloc_noprof+0x134/0x440\\n  __nf_conntrack_alloc+0xa8/0x2b0\\n  ctnetlink_create_conntrack+0xa1/0x900\\n  ctnetlink_new_conntrack+0x3cf/0x7d0\\n  nfnetlink_rcv_msg+0x48e/0x510\\n  netlink_rcv_skb+0xc9/0x1f0\\n  nfnetlink_rcv+0xdb/0x220\\n  netlink_unicast+0x3ec/0x590\\n  netlink_sendmsg+0x397/0x690\\n  __sys_sendmsg+0xf4/0x180\\n\\n Freed by task 0:\\n  slab_free_after_rcu_debug+0xad/0x1e0\\n  rcu_core+0x5c3/0x9c0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.