PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23274 Linux CVE debrief

CVE-2026-23274 is a Linux kernel netfilter xt_IDLETIMER issue where revision 0 rules can reuse an existing timer by label even when that timer was first created by revision 1 with XT_IDLETIMER_ALARM. In that case, the reused object follows alarm-timer semantics and timer->timer is never initialized, yet rev0 still calls mod_timer() on it. The result can be debugobjects warnings and, if panic_on_warn=1 is enabled, a system panic. The kernel fix rejects rev0 rule insertion when an existing timer with the same label is an ALARM timer.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-04-18
Advisory published
2026-03-20
Advisory updated
2026-04-18

Who should care

Linux kernel maintainers, distribution security teams, and operators running systems that use netfilter xt_IDLETIMER rules, especially where both revision 0 and revision 1 rule paths may be present.

Technical summary

The vulnerable path is label-based timer reuse in xt_IDLETIMER revision 0. If a label was previously created by revision 1 using XT_IDLETIMER_ALARM, the underlying object does not initialize timer->timer the way rev0 expects. Rev0 nevertheless reuses the object and invokes mod_timer() on that uninitialized timer_list. The documented fix is to block revision 0 rule insertion when the matching label already belongs to an ALARM timer.

Defensive priority

High priority for Linux kernel environments that expose xt_IDLETIMER rules, because the issue can cause kernel warnings and may escalate to a panic when panic_on_warn=1 is set.

Recommended defensive actions

  • Apply the Linux kernel fix that rejects revision 0 reuse of labels owned by XT_IDLETIMER_ALARM timers.
  • Review any netfilter/xt_IDLETIMER deployments for mixed revision 0 and revision 1 rule usage on the same labels.
  • Validate whether panic_on_warn=1 is enabled on affected systems, since the source description notes possible panic in that configuration.
  • Track vendor or distribution backports for the kernel stable commits referenced in the CVE record.
  • After patching, test rule insertion paths that reuse labels to confirm rev0 is correctly rejected for ALARM timers.

Evidence notes

This debrief is based on the CVE description and the official NVD/CVE record metadata supplied in the corpus. The source description states that revision 0 reuses timers by label, that ALARM timers leave timer->timer uninitialized for this path, and that the fix rejects rev0 insertion when the existing label is an ALARM timer. NVD lists the issue as CVE-2026-23274, published 2026-03-20 and modified 2026-04-18, with CVSS v3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and status 'Undergoing Analysis'.

Official resources

CVE publishedAt: 2026-03-20T09:16:13.077Z; modifiedAt: 2026-04-18T09:16:15.797Z. NVD source status: Undergoing Analysis. No KEV listing was provided in the source corpus.