{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23274", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:54.918Z", "dateUpdated": "2026-05-11T22:03:41.745Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:41.745Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_IDLETIMER.c"], "versions": [{"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "144f88054ba0180467356f40895bd660b5dceeec", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "28c7cfaf0c0ab17cbd7754092116fd1af45271f9", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "54080355999381fed4a26129579a5765bab87491", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "5e7ece24c5cb75a60402aad4d803c7898ea40aa9", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_IDLETIMER.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44"}, {"url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec"}, {"url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9"}, {"url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491"}, {"url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9"}, {"url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"}, {"url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"}, {"url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"}], "title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: xt_IDLETIMER: rechazar la reutilizaci\u00f3n de rev0 de etiquetas de temporizador ALARM\n\nLas reglas de la revisi\u00f3n 0 de IDLETIMER reutilizan temporizadores existentes por etiqueta y siempre llaman a mod_timer() en timer->timer.\n\nSi la etiqueta fue creada primero por la revisi\u00f3n 1 con XT_IDLETIMER_ALARM, el objeto utiliza sem\u00e1ntica de temporizador de alarma y timer->timer nunca se inicializa. Reutilizar ese objeto de la revisi\u00f3n 0 causa mod_timer() en una timer_list no inicializada, lo que activa advertencias de debugobjects y un posible p\u00e1nico cuando panic_on_warn=1.\n\nSolucione esto rechazando la inserci\u00f3n de reglas de la revisi\u00f3n 0 cuando un temporizador existente con la misma etiqueta es de tipo ALARM."}], "id": "CVE-2026-23274", "lastModified": "2026-04-18T09:16:15.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-20T09:16:13.077", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", "id": "2449572", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449572"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-908", "details": ["A flaw was found in the Linux kernel's netfilter: xt_IDLETIMER module. This vulnerability occurs when revision 0 rules attempt to reuse a timer label previously created by revision 1 with alarm timer semantics. This action can lead to calling mod_timer() on an uninitialized timer list. A local attacker could potentially trigger debug object warnings and, under certain configurations, cause a kernel panic, leading to a Denial of Service (DoS)."], "name": "CVE-2026-23274", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23274\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23274\nhttps://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23274-ba1d@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[68983a354a655c35d3fb204489d383a2a051fda7,f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[68983a354a655c35d3fb204489d383a2a051fda7,f228b9ae2a7e84d1153616d8e71c4236cb1f1309)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[68983a354a655c35d3fb204489d383a2a051fda7,329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.19,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.9,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T16:45:50.631077+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch correcting the IDLETIMER timer reuse behavior.", "Verify the running kernel version with `uname -r` and compare against the commit that introduced the fix.", "If immediate patching is not possible, consider disabling the IDLETIMER feature or restricting rule insertion to prevent the use of revision 0 rules with conflicting labels.", "Monitor kernel logs for debugobject warnings or panic messages that may indicate an attempt to trigger the flaw."], "summary": {"action": "Patch", "impact": "Denial of Service (Kernel Panic)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel\u2019s netfilter subsystem, specifically the xt_IDLETIMER module, and impacts all distributions that ship the affected kernel code. No specific kernel versions are listed, so users of any kernel build without the patch are potentially vulnerable.", "description_and_impact": "The Linux kernel\u2019s netfilter IDLETIMER extension can reuse timer objects across rule revisions, and when a revision 0 rule is added for a label that was previously registered as an ALARM timer, the kernel calls mod_timer on an uninitialized timer structure. The resulting use\u2011after\u2011free type bug triggers debugobject warnings and can crash the kernel if panic_on_warn is enabled, thereby causing a denial of service. The weakness corresponds to CWE\u2011908, a race or misuse of an uninitialized resource.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The attack vector is likely local, requiring a privileged user to insert firewall rules that trigger the bug. Since the issue results in a kernel panic, a successful exploitation would lead to system downtime. The vulnerability is not listed in the CISA KEV catalog, so no known public exploits have been documented."}}}}, "created": "2026-03-20T10:36:45.102281+00:00", "updated": "2026-04-02T20:23:16.467473+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}