{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23458", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.021Z", "datePublished": "2026-04-03T15:15:39.041Z", "dateUpdated": "2026-05-11T22:07:22.715Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:22.715Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct->ext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb->args[0] early-return check in the dump\ncallback to avoid dereferencing ct->ext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n <TASK>\n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_netlink.c"], "versions": [{"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "d8cd0efbccc5cfb0a80da744a7da76e1333ab925", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "9821b47f669eb82791fa0b1a6ebaf9aa219bea72", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "bdf2724eefd4455a66863abb025bab8d3aa98c57", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "f04cc86d59906513d2d62183b882966fc0ae0390", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "f025171feef2ac65663d7986f1d5ff0c28d6b2a9", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "cd541f15b60e2257441398cf495d978f816d09f8", "status": "affected", "versionType": "git"}, {"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52", "lessThan": "5cb81eeda909dbb2def209dd10636b51549a3f8a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_netlink.c"], "versions": [{"version": "3.10", "status": "affected"}, {"version": "0", "lessThan": "3.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"}, {"url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"}, {"url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"}, {"url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"}, {"url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"}, {"url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"}, {"url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"}, {"url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"}], "title": "netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct->ext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb->args[0] early-return check in the dump\ncallback to avoid dereferencing ct->ext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n <TASK>\n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0"}], "id": "CVE-2026-23458", "lastModified": "2026-04-27T14:16:34.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:32.647", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()", "id": "2454816", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454816"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's netfilter connection tracking (ctnetlink) component. This vulnerability, known as a use-after-free, occurs when the system attempts to access a memory location after it has been deallocated, which can lead to unpredictable behavior. A local attacker could exploit this by triggering a specific sequence of network communication operations (netlink dump callbacks) related to connection tracking. This could result in a denial of service, causing system instability or crashes."], "name": "CVE-2026-23458", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23458\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23458\nhttps://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23458-5578@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e844a928431fa8f1359d1f4f2cef53d9b446bf52,bdf2724eefd4455a66863abb025bab8d3aa98c57)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e844a928431fa8f1359d1f4f2cef53d9b446bf52,f04cc86d59906513d2d62183b882966fc0ae0390)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e844a928431fa8f1359d1f4f2cef53d9b446bf52,f025171feef2ac65663d7986f1d5ff0c28d6b2a9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e844a928431fa8f1359d1f4f2cef53d9b446bf52,04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e844a928431fa8f1359d1f4f2cef53d9b446bf52,cd541f15b60e2257441398cf495d978f816d09f8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e844a928431fa8f1359d1f4f2cef53d9b446bf52,5cb81eeda909dbb2def209dd10636b51549a3f8a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T08:52:25.685565+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that adds .start and .done callbacks for ctnetlink_dump_exp_ct() (upgrade to a kernel version containing the fix).", "If an upgrade cannot be performed immediately, disable the conntrack netlink interface to prevent use of the vulnerable function (e.g., block the ctnetlink socket or set appropriate sysctl knobs).", "Monitor kernel logs for KASAN or BUG messages indicating memory corruption."], "summary": {"action": "Patch immediately", "impact": "Kernel memory corruption leading to possible privilege escalation"}, "threat_synthesis": {"affected_systems": "Affected systems are Linux kernel releases before the patch that adds .start and .done callbacks to ctnetlink_dump_exp_ct(). The problematic code is present in kernel versions such as 7.0.0\u2011rc2+, as indicated by the KASAN logs. The issue is present in the primary Linux kernel distribution; no vendor\u2011specific product versions are listed beyond Linux:Linux. Thus any system running an unpatched Linux kernel is at risk.", "description_and_impact": "The vulnerability originates in the netfilter ctnetlink module of the Linux kernel. During a multi\u2011round conntrack dump, a connection tracking object is freed prematurely because its reference counter is not retained between dump rounds. The subsequent callback dereferences the freed object, creating a use\u2011after\u2011free that can corrupt kernel memory. If an attacker can trigger this callback, the corruption could lead to kernel crash or potentially arbitrary code execution, elevating privileges on the affected host.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity risk. EPSS less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not cataloged in the CISA KEV list. The attack vector is a netlink interface that is normally restricted to privileged users, meaning that local users with sufficient privileges could trigger the dump and exercise the use\u2011after\u2011free. For non\u2011privileged users the path is less clear, but the presence of a kernel memory corruption vulnerability still warrants immediate attention."}}}}, "created": "2026-04-03T21:13:40.417693+00:00", "updated": "2026-04-28T09:00:06.531128+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}