PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23458 Linux CVE debrief

A use-after-free vulnerability in the Linux kernel's netfilter ctnetlink subsystem allows local attackers to escalate privileges or cause denial of service. The flaw exists in ctnetlink_dump_exp_ct(), which stores a conntrack pointer in cb->data for netlink dump callbacks but releases the reference immediately after netlink_dump_start(). When dump operations span multiple rounds, subsequent recvmsg() calls trigger the dump callback ctnetlink_exp_ct_dump_table(), which dereferences the now-freed conntrack via nfct_help(ct), leading to slab-use-after-free on ct->ext. The root cause is missing .start and .done callbacks in netlink_dump_control to manage conntrack references across dump rounds—unlike other dump functions in the same file that properly implement these callbacks. KASAN detection confirms the vulnerability with reads of freed memory at ffff88810597ebf0. Affected versions span Linux kernel 3.10 through 7.0-rc4 across multiple stable branches. The fix adds proper .start and .done callbacks to hold and release conntrack references for the dump duration, and relocates the nfct_help() call after the cb->args[0] early-return check to prevent unnecessary dereferences.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators, kernel security teams, container platform operators, and organizations running multi-tenant Linux environments where unprivileged users may have CAP_NET_ADMIN or where netfilter conntrack netlink interfaces are exposed. Cloud providers and hosting platforms with custom kernel builds should prioritize patching. Security researchers tracking kernel memory safety issues and netfilter subsystem vulnerabilities.

Technical summary

The vulnerability is a use-after-free (CWE-416) in net/netfilter/nf_conntrack_netlink.c. The ctnetlink_dump_exp_ct() function initializes a netlink dump with a conntrack pointer stored in cb->data, but calls nf_ct_put() immediately after netlink_dump_start(). The dump callback ctnetlink_exp_ct_dump_table() later accesses this pointer via nfct_help(ct), which dereferences ct->ext. When the conntrack has been freed via RCU (as shown in the KASAN trace: slab_free_after_rcu_debug → rcu_core), this becomes a use-after-free. The fix introduces ctnetlink_exp_ct_dump_start() and ctnetlink_exp_ct_dump_done() callbacks to properly hold (nf_ct_get()) and release (nf_ct_put()) the conntrack reference across the entire dump operation, matching the pattern used in ctnetlink_get_conntrack(). Additionally, nfct_help() is moved after the cb->args[0] check to avoid dereferencing when the dump is complete.

Defensive priority

HIGH

Recommended defensive actions

  • Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
  • Restrict CAP_NET_ADMIN capability to prevent unprivileged ctnetlink access
  • Monitor for suspicious ctnetlink netlink socket activity from non-administrative processes
  • Enable KASAN in test environments to detect similar use-after-free patterns
  • Review custom netfilter conntrack helpers for similar reference counting issues in netlink dump callbacks

Evidence notes

KASAN slab-use-after-free detected in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 with read of size 8 at ffff88810597ebf0. Call trace shows netlink_dump → netlink_recvmsg → sock_recvmsg path. Allocation traced to __nf_conntrack_alloc via ctnetlink_create_conntrack, with free occurring via slab_free_after_rcu_debug in rcu_core context. Fix confirmed by kernel stable patches adding .start/.done callbacks to netlink_dump_control structure.

Official resources

2026-04-03T16:16:32.647Z