{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23412", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.013Z", "datePublished": "2026-04-02T11:40:53.528Z", "dateUpdated": "2026-04-02T11:40:53.528Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-02T11:40:53.528Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bpf: defer hook memory release until rcu readers are done\n\nYiming Qian reports UaF when concurrent process is dumping hooks via\nnfnetlink_hooks:\n\nBUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0\nRead of size 8 at addr ffff888003edbf88 by task poc/79\nCall Trace:\n <TASK>\n nfnl_hook_dump_one.isra.0+0xe71/0x10f0\n netlink_dump+0x554/0x12b0\n nfnl_hook_get+0x176/0x230\n [..]\n\nDefer release until after concurrent readers have completed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_bpf_link.c"], "versions": [{"version": "84601d6ee68ae820dec97450934797046d62db4b", "lessThan": "d016c216bc75c45128160593a77b864a04dbe7c0", "status": "affected", "versionType": "git"}, {"version": "84601d6ee68ae820dec97450934797046d62db4b", "lessThan": "cb2bf5efdb02a2a59faf603604a1066e8266f349", "status": "affected", "versionType": "git"}, {"version": "84601d6ee68ae820dec97450934797046d62db4b", "lessThan": "c25e0dec366ae99b7264324ce3c7cbaea34691f9", "status": "affected", "versionType": "git"}, {"version": "84601d6ee68ae820dec97450934797046d62db4b", "lessThan": "54244d54a971c26a0cd0a9073460ff71f3c51b32", "status": "affected", "versionType": "git"}, {"version": "84601d6ee68ae820dec97450934797046d62db4b", "lessThan": "24f90fa3994b992d1a09003a3db2599330a5232a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_bpf_link.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d016c216bc75c45128160593a77b864a04dbe7c0"}, {"url": "https://git.kernel.org/stable/c/cb2bf5efdb02a2a59faf603604a1066e8266f349"}, {"url": "https://git.kernel.org/stable/c/c25e0dec366ae99b7264324ce3c7cbaea34691f9"}, {"url": "https://git.kernel.org/stable/c/54244d54a971c26a0cd0a9073460ff71f3c51b32"}, {"url": "https://git.kernel.org/stable/c/24f90fa3994b992d1a09003a3db2599330a5232a"}], "title": "netfilter: bpf: defer hook memory release until rcu readers are done", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bpf: defer hook memory release until rcu readers are done\n\nYiming Qian reports UaF when concurrent process is dumping hooks via\nnfnetlink_hooks:\n\nBUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0\nRead of size 8 at addr ffff888003edbf88 by task poc/79\nCall Trace:\n <TASK>\n nfnl_hook_dump_one.isra.0+0xe71/0x10f0\n netlink_dump+0x554/0x12b0\n nfnl_hook_get+0x176/0x230\n [..]\n\nDefer release until after concurrent readers have completed."}], "id": "CVE-2026-23412", "lastModified": "2026-04-03T16:10:52.680", "metrics": {}, "published": "2026-04-02T12:16:20.270", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/24f90fa3994b992d1a09003a3db2599330a5232a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/54244d54a971c26a0cd0a9073460ff71f3c51b32"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c25e0dec366ae99b7264324ce3c7cbaea34691f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cb2bf5efdb02a2a59faf603604a1066e8266f349"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d016c216bc75c45128160593a77b864a04dbe7c0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: bpf: defer hook memory release until rcu readers are done", "id": "2454319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454319"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-364", "details": ["A flaw was found in the Linux kernel's netfilter BPF (Berkeley Packet Filter) component. A local attacker could exploit this by initiating a concurrent process to dump hooks via `nfnetlink_hooks`, which triggers a use-after-free vulnerability. This could lead to system instability or a denial of service (DoS) condition."], "name": "CVE-2026-23412", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23412\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23412\nhttps://lore.kernel.org/linux-cve-announce/2026040201-CVE-2026-23412-4daa@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84601d6ee68ae820dec97450934797046d62db4b,d016c216bc75c45128160593a77b864a04dbe7c0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84601d6ee68ae820dec97450934797046d62db4b,cb2bf5efdb02a2a59faf603604a1066e8266f349)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84601d6ee68ae820dec97450934797046d62db4b,c25e0dec366ae99b7264324ce3c7cbaea34691f9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84601d6ee68ae820dec97450934797046d62db4b,54244d54a971c26a0cd0a9073460ff71f3c51b32)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84601d6ee68ae820dec97450934797046d62db4b,24f90fa3994b992d1a09003a3db2599330a5232a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T12:51:08.020317+00:00", "value": {"mitigation_remediation": ["Update the system to the latest Linux kernel release that contains the netfilter BPF use\u2011after\u2011free fix", "If an immediate kernel upgrade is not possible, restrict or disable nfnetlink_hooks usage for non\u2011essential users to limit the exposure of this API", "Continuously monitor kernel logs for panic messages or KASAN reports indicating a use\u2011after\u2011free has occurred"], "summary": {"action": "Apply Patch", "impact": "Use-After-Free memory corruption in the Linux kernel netfilter subsystem"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel across all releases that implement the netfilter BPF component and the nfnetlink_hooks interface. No specific kernel versions are listed, so any current kernel may be impacted.", "description_and_impact": "A use\u2011after\u2011free bug exists in the Linux kernel\u2019s netfilter BPF subsystem. When a process with access to the nfnetlink_hooks interface dumps hooks concurrently, the kernel releases hook memory before RCU readers have finished, leading to kernel memory corruption. The crash and memory corruption may provide an attacker an opportunity to execute arbitrary code, though this possibility is inferred rather than explicitly stated in the advisories.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require a local user with sufficient privileges to invoke nfnetlink_hooks, making the attack vector local."}}}}, "created": "2026-04-02T20:12:51.905595+00:00", "updated": "2026-04-03T21:17:18.085285+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}