PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23272 Linux CVE debrief

CVE-2026-23272 is a Linux kernel netfilter/nf_tables issue in set insertion handling. According to the published fix description, when a set is already full, a newly added element could be published and then removed without waiting for the RCU grace period, while an RCU reader may already be traversing it. The upstream fix changes the transaction flow so the element is accounted for even when the set is full, uses a set_full flag to return -ENFILE and unwind safely on abort, and restores set->nelems for element updates. NVD lists the issue as having a 7.8 HIGH CVSS score and an attack vector that is local, low-privilege, and network-isolated from user interaction.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-04-02
Advisory published
2026-03-20
Advisory updated
2026-04-02

Who should care

Linux kernel maintainers, distro security teams, and administrators running systems with nf_tables/nftables support enabled—especially multi-user systems where local users can interact with netfilter-related functionality.

Technical summary

The flaw is in nf_tables set management during element insertion into a full set. The vulnerable flow can publish an element and then remove it before an RCU grace period has elapsed, which creates a race window for concurrent RCU readers. The fix avoids that unsafe path by always adding the element transaction, marking the set as full so the error path can return -ENFILE and revert state cleanly, and adjusting set->nelems so updates remain consistent. The NVD record associated with this CVE shows CVSS v3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and currently has vulnStatus set to "Undergoing Analysis".

Defensive priority

High. This is a kernel memory-consistency bug in a security-sensitive subsystem, with local low-privilege access and a high CVSS score. Prioritize patching in standard kernel update cycles, and faster on shared or multi-user hosts.

Recommended defensive actions

  • Apply the kernel update or backport that includes the nf_tables set insertion fix referenced by the upstream stable commits.
  • Verify whether your kernel build includes the referenced fix in stable backports before declaring systems remediated.
  • Reboot into the patched kernel after updating, since kernel fixes generally require a reboot to take effect.
  • Pay special attention to hosts that expose nftables/netfilter functionality to local users or automation running with low privileges.
  • If you maintain a custom kernel, backport the upstream fix and test nftables set insertion and update paths before release.

Evidence notes

Source description states the issue is in Linux kernel netfilter/nf_tables and explains the RCU race when inserting into a full set. The provided NVD metadata supplies the CVSS vector and "Undergoing Analysis" status. The referenced official links are kernel.org stable commit entries cited by NVD as related fix references. No KEV entry was provided in the source corpus.

Official resources

Published 2026-03-20T09:16:12.700Z; last modified 2026-04-02T15:16:28.417Z. No KEV entry was provided in the source corpus.