CVE-2026-45901 Linux CVE debrief

Who should care

Linux system administrators running nftables, ipset, or iptables-nft with set match rules; security teams monitoring kernel netfilter stability; organizations with high-concurrency firewall rule management operations

Technical summary

The vulnerability stems from a circular lock dependency in the Linux kernel's netfilter nf_tables subsystem. The commit_mutex was introduced in the reset path to prevent concurrent execution, but this created a deadlock scenario when combined with nfnl_subsys_ipset and nlk_cb_mutex locks during simultaneous nft reset, ipset list, and iptables-nft '-m set' rule operations. The resolution removes commit_mutex from the reset path, relying on prior patches that made individual reset handlers concurrency-safe. The fix is available in kernel stable branches via commits 7f261bb906bf and ee3978b6a0dcd.

Defensive priority

medium

Recommended defensive actions

• Review kernel version and apply relevant stable kernel updates containing the referenced commits
• Monitor for CVSS scoring updates from NVD
• Verify nftables/ipset/iptables-nft usage patterns in environment for concurrent operation scenarios
• Consider kernel lockdep debugging for validation in staging environments

Evidence notes

The vulnerability description is sourced directly from the official CVE record and NVD entry. The fix is documented in two kernel git commits referenced in the CVE. The vendor identification is marked as low confidence and requires review, as the CVE only identifies 'Kernel' as a reference domain candidate.

Official resources