PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23278 Linux CVE debrief

CVE-2026-23278 is a Linux kernel netfilter/nf_tables vulnerability in transaction processing for catchall elements. According to the CVE description, if a set map is being removed while both a live catchall element and a pending catchall element exist, the abort path may toggle only the first viable element instead of all pending catchall elements. The documented result is a kernel warning in nft_data_release during nf_tables abort handling, indicating an unsafe cleanup path in the nf_tables subsystem. NVD currently lists the issue as undergoing analysis and scores it CVSS 3.1 7.8 HIGH with local access requirements.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-04-02
Advisory published
2026-03-20
Advisory updated
2026-04-02

Who should care

Kernel and platform security teams, Linux distribution maintainers, SREs running systems that use nftables/nf_tables, and administrators of multi-tenant or privileged Linux hosts where local attackers may obtain the required access level.

Technical summary

The flaw is in nf_tables transaction processing when catchall elements are pending and the backing map is removed. The fix, per the kernel stable references supplied in the source corpus, is to always walk all pending catchall elements rather than only the first viable candidate. The issue manifests as a warning in nft_data_release during nf_tables abort/release handling, which points to incorrect element teardown in the abort path. The supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates local exploitation conditions and potentially severe impact if the bug is reachable in the deployed kernel configuration.

Defensive priority

High. This is a kernel-level nf_tables bug with local attack preconditions and a HIGH CVSS score. Systems that expose nftables management to privileged users or containers should prioritize patch verification and kernel updates.

Recommended defensive actions

  • Apply the Linux kernel updates or stable backports that include the referenced fix commits.
  • Verify whether deployed kernels include the nf_tables catchall handling fix before the CVE publication date range.
  • Prioritize hosts that use nftables/nf_tables heavily or allow untrusted local code execution, containers, or delegated network administration.
  • Monitor kernel release notes and distribution advisories for the stable backport that addresses this issue.
  • Treat repeated nf_tables warnings involving nft_data_release or nf_tables_abort_release as a signal to check kernel patch level and configuration.
  • Document fleet exposure by kernel version and distribution package, then schedule remediation for affected builds first.

Evidence notes

Evidence is limited to the supplied CVE/NVD record and the linked kernel stable commit references. The CVE description states the bug is in Linux kernel netfilter:nf_tables catchall handling during transaction abort/release. NVD metadata lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and marks the record as undergoing analysis. The source corpus also includes four kernel stable commit URLs as references, but no patch text was provided in the corpus, so the debrief avoids asserting commit-specific implementation details beyond the described fix behavior.

Official resources

Published by the CVE record on 2026-03-20T09:16:13.690Z and modified on 2026-04-02T09:16:20.537Z. NVD lists the vulnerability as undergoing analysis at the time reflected in the supplied source corpus. No KEV data was supplied.