{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31665", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:14.613Z", "dateUpdated": "2026-05-11T22:13:13.182Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:13.182Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n nf_conntrack_tcp_packet+0x1381/0x29d0\n nf_conntrack_in+0x612/0x8b0\n nf_hook_slow+0x70/0x100\n __ip_local_out+0x1b2/0x210\n tcp_sendmsg_locked+0x722/0x1580\n __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n nft_ct_timeout_obj_init+0xf6/0x290\n nft_obj_init+0x107/0x1b0\n nf_tables_newobj+0x680/0x9c0\n nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n nft_obj_destroy+0x3f/0xa0\n nf_tables_trans_destroy_work+0x51c/0x5c0\n process_one_work+0x2c4/0x5a0"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/netfilter/nf_conntrack_timeout.h", "net/netfilter/nft_ct.c"], "versions": [{"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "c458fc1c278a65ad5381083121d39a479973ebed", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "c581e5c8f2b59158f62efe61c1a3dc36189081ff", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "f16fe84879a5280f05ebbcea593a189ba0f3e79a", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "070abdf1b04325b21a20a2a0c39a2208af107275", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "b42aca3660dc2627a29a38131597ca610dc451f9", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "d0983b48c10d1509fd795c155f8b1e832e1369ff", "status": "affected", "versionType": "git"}, {"version": "7e0b2b57f01d183e1c84114f1f2287737358d748", "lessThan": "f8dca15a1b190787bbd03285304b569631160eda", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/netfilter/nf_conntrack_timeout.h", "net/netfilter/nft_ct.c"], "versions": [{"version": "4.19", "status": "affected"}, {"version": "0", "lessThan": "4.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed"}, {"url": "https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff"}, {"url": "https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a"}, {"url": "https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275"}, {"url": "https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77"}, {"url": "https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9"}, {"url": "https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff"}, {"url": "https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda"}], "title": "netfilter: nft_ct: fix use-after-free in timeout object destroy", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCA68506-DA89-4BB0-BB51-9DE08D03AA32", "versionEndExcluding": "5.10.253", "versionStartIncluding": "4.19.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.19:-:*:*:*:*:*:*", "matchCriteriaId": "CFDAD450-8799-4C2D-80CE-2AA45DEC35CE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n nf_conntrack_tcp_packet+0x1381/0x29d0\n nf_conntrack_in+0x612/0x8b0\n nf_hook_slow+0x70/0x100\n __ip_local_out+0x1b2/0x210\n tcp_sendmsg_locked+0x722/0x1580\n __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n nft_ct_timeout_obj_init+0xf6/0x290\n nft_obj_init+0x107/0x1b0\n nf_tables_newobj+0x680/0x9c0\n nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n nft_obj_destroy+0x3f/0xa0\n nf_tables_trans_destroy_work+0x51c/0x5c0\n process_one_work+0x2c4/0x5a0"}], "id": "CVE-2026-31665", "lastModified": "2026-04-27T20:00:05.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:46.157", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: netfilter: nft_ct: fix use-after-free in timeout object destroy", "id": "2461577", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461577"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's netfilter connection tracking (nf_conntrack) component. This vulnerability is a use-after-free error, occurring when a timeout object is deallocated prematurely without waiting for an RCU (Read-Copy-Update) grace period. This allows concurrent packet processing to access memory that has already been freed. An attacker could exploit this timing issue to cause a system crash, leading to a denial of service."], "name": "CVE-2026-31665", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31665\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31665\nhttps://lore.kernel.org/linux-cve-announce/2026042405-CVE-2026-31665-f586@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,c458fc1c278a65ad5381083121d39a479973ebed)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,c581e5c8f2b59158f62efe61c1a3dc36189081ff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,f16fe84879a5280f05ebbcea593a189ba0f3e79a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,070abdf1b04325b21a20a2a0c39a2208af107275)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,b42aca3660dc2627a29a38131597ca610dc451f9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,d0983b48c10d1509fd795c155f8b1e832e1369ff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e0b2b57f01d183e1c84114f1f2287737358d748,f8dca15a1b190787bbd03285304b569631160eda)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.169,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:19:26.753929+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that defers freeing the nft_ct timeout object until after an RCU grace period, thereby eliminating the use\u2011after\u2011free (CWE\u2011416) and race condition (CWE\u2011825) weaknesses.", "Reboot or resume the updated kernel to ensure the patch takes effect.", "If upgrading immediately is not possible, temporarily tighten nftables rules to filter or drop malformed packets that could trigger nf_conntrack, reducing the risk of exploitation until the kernel is updated."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011after\u2011free in the nft_ct timeout object that can corrupt kernel memory and may lead to denial of service."}, "threat_synthesis": {"affected_systems": "All Linux kernel releases prior to the patch, including kernel 4.19 and the 7.0 release candidates from RC1 through RC7. The fix is included in later commits referenced in the Linux kernel repository and should be present in subsequent stable releases.", "description_and_impact": "The bug occurs when the nft_ct timeout object is freed by kfree immediately after nf_ct_untimeout without waiting for an RCU grace period. While other CPUs may still reference the object via rcu_dereference, this can lead to a slab use\u2011after\u2011free. Based on the KASAN report, it is inferred that malformed or specially crafted packets could trigger the flaw, resulting in memory corruption.", "risk_and_exploitability": "The CVSS score of 7.8 reflects a high severity vulnerability. The EPSS score of less than 1% suggests that, at the time of analysis, exploitation is unlikely yet. The vulnerability is not listed in the CISA KEV catalog. It is inferred that exploitation might require local privileges or network access that can send specially crafted packets, but the advisory does not provide explicit attack vectors."}}}}, "created": "2026-04-27T18:45:11.313609+00:00", "updated": "2026-04-29T02:30:07.569819+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}