PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23399 Linux CVE debrief

A memory leak vulnerability exists in the Linux kernel's nf_tables subsystem, specifically within the nft_dynset module. When cloning stateful expressions for dynamic set elements, if the second stateful expression clone fails due to GFP_ATOMIC allocation failure, the first successfully cloned stateful expression is not released, resulting in a memory leak of per-CPU objects. The leaked object trace indicates nft_counter_clone as the affected expression type. This vulnerability requires local access with privileges to configure nftables rules and can lead to gradual memory exhaustion affecting system availability.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-28
Original CVE updated
2026-06-01
Advisory published
2026-03-28
Advisory updated
2026-06-01

Who should care

Linux system administrators running nftables with dynamic sets; security teams managing kernel attack surface; hosting providers and cloud operators offering container or VM workloads with nftables networking; kernel maintainers tracking stable branch updates.

Technical summary

The vulnerability is located in nft_dynset_new() within net/netfilter/nft_dynset.c. When processing a dynamic set element update, stateful expressions attached to the element are cloned using GFP_ATOMIC allocations. If the first expression clones successfully but the second fails, the error path does not release the already-cloned first expression. The leaked memory is a per-CPU allocation (16 bytes in the reported trace) originating from nft_counter_clone. This occurs during softirq context via nft_rhash_update and nft_dynset_eval. The fix ensures proper cleanup of cloned expressions when subsequent clones fail.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patch for your version stream (5.x, 6.12.x, 6.13+, 6.19+, or 7.0-rc).
  • If immediate patching is not feasible, restrict unprivileged user namespaces and limit nftables configuration privileges to reduce attack surface.
  • Monitor for abnormal memory growth in systems running nftables with dynamic sets and stateful expressions (e.g., nft_counter).
  • Review kernel logs for GFP_ATOMIC allocation failures in nf_tables paths as potential indicators of trigger attempts.
  • Plan kernel updates during maintenance windows given local privilege requirements and availability impact rather than confidentiality or integrity compromise.

Evidence notes

CVE published 2026-03-28; modified 2026-06-01. NVD assigns CWE-401 (Missing Release of Memory after Effective Lifetime). CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 5.5 (MEDIUM). Affected kernel versions span 5.11.1 through 6.12.78, 6.13 through 6.18.20, 6.19 through 6.19.10, and 7.0-rc1 through 7.0-rc7 per NVD CPE criteria. Multiple stable kernel patches are available. No KEV listing.

Official resources

2026-03-28