{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23274", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:54.918Z", "dateUpdated": "2026-03-20T08:08:54.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-20T08:08:54.918Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_IDLETIMER.c"], "versions": [{"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_IDLETIMER.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"}, {"url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"}, {"url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"}], "title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}], "id": "CVE-2026-23274", "lastModified": "2026-03-20T13:37:50.737", "metrics": {}, "published": "2026-03-20T09:16:13.077", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[68983a354a655c35d3fb204489d383a2a051fda7,f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[68983a354a655c35d3fb204489d383a2a051fda7,f228b9ae2a7e84d1153616d8e71c4236cb1f1309)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[68983a354a655c35d3fb204489d383a2a051fda7,329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.19,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.9,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-20T11:23:37.066495+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that rejects revision 0 rule insertion when an existing timer with the same label is of ALARM type.", "If a patch is not immediately available, limit the creation of new netfilter rules that use the IDLETIMER feature or reboot the system to clear potential uninitialized timer objects."], "summary": {"action": "Apply Patch", "impact": "Kernel Panic / DoS"}, "threat_synthesis": {"affected_systems": "The affected systems are Linux kernels that implement IDLETIMER with support for revisions 0 and 1. The specific kernel versions are not listed in the provided data, so any kernel that still contains the vulnerable code path may be impacted. The vendor list indicates only the Linux kernel with no additional product names.", "description_and_impact": "Key detail from vendor description: the Linux kernel's netfilter IDLETIMER allows a revision 0 rule to reuse an uninitialized timer created by a previous revision 1 rule with XT_IDLETIMER_ALARM. This causes a call to mod_timer() on an uninitialized timer_list, triggering debugobject warnings and, if panic_on_warn=1, can lead to a kernel panic. The vulnerability is a CWE\u2011665 (Improper Initialization).", "risk_and_exploitability": "The risk is moderate to high because the flaw can cause a kernel panic, resulting in a denial of service. No CVSS score or EPSS value is supplied, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local or privileged attacker able to insert a netfilter rule; from the description it is inferred that the attacker can trigger the flaw by creating a revision 0 rule that references an existing ALARM timer label. The exploit requires local access to configure netfilter rules, but compromise could lead to a system-wide panic."}}}}, "created": "2026-03-20T10:36:45.102281+00:00", "updated": "2026-03-20T16:27:49.809279+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}