PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23392 Linux CVE debrief

A high-severity vulnerability, CVE-2026-23392, was found in the Linux kernel. This vulnerability is caused by a use-after-free error in the netfilter subsystem, specifically in the nf_tables component. The vulnerability occurs when the flowtable is released after an RCU grace period on error, allowing a hook that already refers to this flowtable to be registered, exposing the flowtable to the packet path and nfnetlink_hook control plane. The affected Linux kernel versions are 4.16.1 to 6.1.167, 6.2 to 6.6.130, 6.7 to 6.12.78, 6.13 to 6.18.20, 6.19 to 6.19.10, and 7.0 rc1 to rc7.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-07-14
Advisory published
2026-03-25
Advisory updated
2026-07-14

Who should care

This vulnerability affects Linux kernel versions 4.16.1 to 6.1.167, 6.2 to 6.6.130, 6.7 to 6.12.78, 6.13 to 6.18.20, 6.19 to 6.19.10, and 7.0 rc1 to rc7. Users of these versions should take immediate action to mitigate the vulnerability. The operators, platform, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability is caused by a use-after-free error in the netfilter subsystem, specifically in the nf_tables component. The error occurs when the flowtable is released after an RCU grace period on error, allowing a hook that already refers to this flowtable to be registered. This can be exploited by an attacker to execute arbitrary code or cause a denial-of-service (DoS) attack. The affected Linux kernel versions are 4.16.1 to 6.1.167, 6.2 to 6.6.130, 6.7 to 6.12.78, 6.13 to 6.18.20, 6.19 to 6.19.10, and 7.0 rc1 to rc7.

Defensive priority

High

Recommended defensive actions

  • Apply patches from Linux kernel maintainers
  • Update Linux kernel to a version that is not vulnerable
  • Implement compensating controls, such as firewall rules or intrusion detection systems
  • Monitor system logs for suspicious activity
  • Perform regular vulnerability scans and penetration testing
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported by KASAN and is described as a use-after-free error in the netfilter subsystem. The CVE record was published on 2026-03-25T11:16:39.873Z and last modified on 2026-07-14T13:18:32.290Z. The affected product deployments should be reviewed for potential exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-25T11:16:39.873Z and has not been modified since then.