CVE-2026-23272 (GCVE-0-2026-23272)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-13 06:03
VLAI?
Title
netfilter: nf_tables: unconditionally bump set->nelems before insertion
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < 6826131c7674329335ca25df2550163eb8a1fd0c (git)
Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < ccb8c8f3c1127cf34d18c737309897c68046bf21 (git)
Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < def602e498a4f951da95c95b1b8ce8ae68aa733a (git)
Affected: fefdd79403e89b0c673965343b92e2e01e2713a8 (git)
Create a notification for this product.
    Linux Linux Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6826131c7674329335ca25df2550163eb8a1fd0c",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "ccb8c8f3c1127cf34d18c737309897c68046bf21",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "def602e498a4f951da95c95b1b8ce8ae68aa733a",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fefdd79403e89b0c673965343b92e2e01e2713a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set-\u003enelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:03:21.164Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"
        }
      ],
      "title": "netfilter: nf_tables: unconditionally bump set-\u003enelems before insertion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23272",
    "datePublished": "2026-03-20T08:08:52.946Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-04-13T06:03:21.164Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23272",
      "date": "2026-04-15",
      "epss": "0.00013",
      "percentile": "0.02109"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23272\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-20T09:16:12.700\",\"lastModified\":\"2026-04-02T15:16:28.417\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\\n\\nIn case that the set is full, a new element gets published then removed\\nwithout waiting for the RCU grace period, while RCU reader can be\\nwalking over it already.\\n\\nTo address this issue, add the element transaction even if set is full,\\nbut toggle the set_full flag to report -ENFILE so the abort path safely\\nunwinds the set to its previous state.\\n\\nAs for element updates, decrement set-\u003enelems to restore it.\\n\\nA simpler fix is to call synchronize_rcu() in the error path.\\nHowever, with a large batch adding elements to already maxed-out set,\\nthis could cause noticeable slowdown of such batches.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nnetfilter: nf_tables: incrementar incondicionalmente set-\u0026gt;nelems antes de la inserci\u00f3n\\n\\nEn caso de que el conjunto est\u00e9 lleno, se publica un nuevo elemento que luego se elimina sin esperar el per\u00edodo de gracia de RCU, mientras que un lector de RCU ya puede estar recorri\u00e9ndolo.\\n\\nPara abordar este problema, a\u00f1adir la transacci\u00f3n del elemento incluso si el conjunto est\u00e1 lleno, pero alternar la bandera set_full para informar -ENFILE de modo que la ruta de aborto deshaga de forma segura el conjunto a su estado anterior.\\n\\nEn cuanto a las actualizaciones de elementos, decrementar set-\u0026gt;nelems para restaurarlo.\\n\\nUna soluci\u00f3n m\u00e1s simple es llamar a synchronize_rcu() en la ruta de error.\\nSin embargo, con un gran lote a\u00f1adiendo elementos a un conjunto ya agotado, esto podr\u00eda causar una ralentizaci\u00f3n notable de dichos lotes.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.