CVE-2026-23231

Опубликовано: 04 мар. 2026

Источник: redhat

CVSS3: 7.5

Описание

Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it.
Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.

A flaw was found in the Linux kernel. A local attacker with CAP_NET_ADMIN capabilities, or remote packet traffic, could exploit a use-after-free vulnerability in the nf_tables_addchain() function's error handling. Successful exploitation could lead to a kernel crash, resulting in a Denial of Service (DoS), or potentially privilege escalation.

Отчет

A use after free can occur in nf_tables_addchain error handling because a new chain is published to table chains via RCU before hook registration completes and is then freed without an RCU grace period when hook registration fails. This creates a race with RCU readers in the control plane such as nf_tables_dump_chains and also with in flight packet evaluation when an IPv4 hook is transiently installed for NFPROTO_INET and later IPv6 hook registration fails. For the CVSS the PR is L because a local actor with CAP_NET_ADMIN can induce the failing add chain path while remote packet traffic may hit the transient hook and trigger the UAF window. Impact ranges from a kernel crash to potential privilege escalation.

Меры по смягчению последствий

In order to trigger the issue, it requires the ability to create user/net namespaces. On non-containerized deployments of Red Hat Enterprise Linux 8, it is recommended to disable user namespaces by setting user.max_user_namespaces to 0:

echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf

sysctl -p /etc/sysctl.d/userns.conf

On containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	kernel	Affected
Red Hat Enterprise Linux 6	kernel	Not affected
Red Hat Enterprise Linux 7	kernel	Affected
Red Hat Enterprise Linux 7	kernel-rt	Affected
Red Hat Enterprise Linux 8	kernel	Affected
Red Hat Enterprise Linux 8	kernel-rt	Affected
Red Hat Enterprise Linux 9	kernel	Affected
Red Hat Enterprise Linux 9	kernel-rt	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-416

https://bugzilla.redhat.com/show_bug.cgi?id=2444376kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()

7.5 High

CVSS3

Связанные уязвимости

CVE-2026-23231

CVSS3: 7.8

ubuntu

23 дня назад

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU reader...