CVE-2026-45897 Linux CVE debrief

Who should care

Organizations running Linux systems with nftables firewall rules that utilize counter objects, particularly those performing counter resets for monitoring, billing, or policy enforcement purposes. Cloud providers and hosting platforms with multi-tenant nftables deployments should prioritize verification of counter integrity.

Technical summary

The nft_counter module in the Linux kernel netfilter subsystem lacked proper synchronization for counter fetch-and-reset operations. Without serialization, two parallel operations could read identical counter values, then both subtract those values, resulting in counter underrun (negative values or incorrect zeroing). The remediation adds a global static spinlock taken before fetching totals, ensuring atomic fetch+reset sequences. A global lock was chosen for implementation simplicity given infrequent reset operations; the commit notes suggest a per-net lock could replace it if performance bottlenecks emerge.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable tree commits when available from your Linux distribution
• Monitor nftables counter behavior for anomalous negative values or accounting discrepancies
• Review nftables rulesets that rely on counter-based rate limiting or policy decisions for potential bypass scenarios
• Consider temporary workarounds such as avoiding concurrent counter reset operations if patching is delayed

Evidence notes

The vulnerability description indicates a race condition in nft_counter reset operations where parallel resets could both read the same counter values before either subtracts them, causing underrun. The fix adds a global static spinlock to serialize these operations. Two kernel.org stable tree commits are referenced as remediation sources.

Official resources