CVE-2026-23272 Overview
CVE-2026-23272 is a race condition vulnerability in the Linux kernel's netfilter subsystem, specifically within the nf_tables set element handling code. When an nf_tables set reaches its maximum capacity, a new element can be published and then removed without waiting for the Read-Copy-Update (RCU) grace period. An RCU reader may already be traversing the freed element, leading to memory safety violations. The flaw affects local attackers with the ability to issue netfilter configuration commands and impacts confidentiality, integrity, and availability of the host system.
Critical Impact
A local attacker with CAP_NET_ADMIN in a user or network namespace can exploit this race condition to corrupt kernel memory and potentially escalate privileges on affected Linux systems.
Affected Products
- Linux kernel versions containing the nf_tables set element insertion logic prior to the upstream fix
- Distributions shipping the affected kernel revisions referenced by commits 6826131c, ccb8c8f3, and def602e4
- Systems where unprivileged user namespaces are enabled and nf_tables is reachable
Discovery Timeline
- 2026-03-20 - CVE-2026-23272 published to the National Vulnerability Database
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-23272
Vulnerability Analysis
The vulnerability resides in the netfilter nf_tables subsystem, which manages packet filtering rule sets in the Linux kernel. Sets in nf_tables are collections of elements protected by RCU for lockless read access. The flaw triggers when a transaction attempts to insert a new element into a set that has already reached its nelems limit.
In the buggy code path, the element is published into the set's data structure and then removed without an intervening synchronize_rcu() call. RCU readers walking the set concurrently may still hold references to the element that was just unpublished. The result is a use-after-free condition on memory that an RCU reader assumes is live.
The fix unconditionally increments set->nelems before insertion and adds the element to the transaction even when the set is full. A new set_full flag triggers -ENFILE to be returned, and the abort path safely unwinds the set to its previous state through the normal RCU-aware transaction rollback.
Root Cause
The root cause is improper RCU synchronization during error handling in the set element insertion path. The original error path treated a full set as a fast-fail condition and removed the freshly published element synchronously. This violates the RCU contract, which requires a grace period between publishing and freeing any object that concurrent readers can observe.
Attack Vector
Exploitation requires local access and the ability to manipulate nf_tables configurations, typically through the CAP_NET_ADMIN capability. On distributions with unprivileged user namespaces enabled, a local unprivileged attacker can obtain this capability inside a namespace. The attacker crafts a batch transaction that adds elements to an nf_tables set already at capacity while a parallel thread performs lookups against the same set, racing the publish-and-remove sequence against an active RCU reader.
No verified public proof-of-concept code is available. See the upstream commits 6826131c, ccb8c8f3, and def602e4 for the authoritative technical fix.
Detection Methods for CVE-2026-23272
Indicators of Compromise
- Kernel oops or panic messages referencing nf_tables, nft_set, or RCU-related stack traces in dmesg and /var/log/kern.log
- Unexpected -ENFILE return codes during nft batch operations correlated with high-frequency set updates
- Unprivileged processes invoking nft or setsockopt with NFNL_SUBSYS_NFTABLES from inside user namespaces
Detection Strategies
- Audit nf_tables netlink traffic for batch transactions that repeatedly attempt to insert elements into saturated sets
- Monitor for crashes or KASAN reports in kernels with debug instrumentation enabled
- Inspect process lineage for unprivileged binaries spawning user namespaces and invoking netfilter configuration syscalls
Monitoring Recommendations
- Enable kernel auditing (auditd) rules for the setsockopt and sendmsg syscalls targeting AF_NETLINK with NETLINK_NETFILTER
- Collect kernel ring buffer logs centrally and alert on BUG:, WARNING:, or general protection fault entries mentioning nft_
- Track user namespace creation events through unshare and clone syscall telemetry
How to Mitigate CVE-2026-23272
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 6826131c, ccb8c8f3, and def602e4 or upgrade to a distribution kernel that includes them
- Disable unprivileged user namespaces where they are not required by setting kernel.unprivileged_userns_clone=0 or the equivalent sysctl on your distribution
- Restrict access to the nf_tables netlink interface to trusted administrators only
Patch Information
The fix is committed to the upstream Linux kernel stable tree. Refer to Linux Kernel Commit 6826131c, Linux Kernel Commit ccb8c8f3, and Linux Kernel Commit def602e4. Distribution maintainers will backport these changes into supported stable branches. Verify your running kernel version against your vendor's security advisory tracker.
Workarounds
- Set kernel.unprivileged_userns_clone=0 to prevent unprivileged users from acquiring CAP_NET_ADMIN inside namespaces
- Load Linux Security Module (LSM) policies such as SELinux or AppArmor profiles that block unprivileged access to nf_tables netlink sockets
- Reduce the practical attack surface by enforcing seccomp filters that block unshare(CLONE_NEWUSER) for untrusted workloads
# Configuration example
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cve-2026-23272.conf
sysctl -p /etc/sysctl.d/99-cve-2026-23272.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
