CVE-2026-23399 Overview
A memory leak vulnerability has been identified in the Linux kernel's nf_tables subsystem, specifically within the nft_dynset component. The flaw occurs when cloning stateful expressions in dynamic set elements fails during memory allocation. If cloning the second stateful expression via GFP_ATOMIC fails, the first stateful expression remains allocated without being properly released, resulting in a memory leak.
This vulnerability affects the netfilter framework's nftables implementation, which is responsible for packet filtering, network address translation, and other packet mangling operations in the Linux kernel.
Critical Impact
Persistent memory leaks in the kernel's netfilter subsystem can lead to system resource exhaustion and potential denial of service conditions on affected Linux systems handling network traffic.
Affected Products
- Linux kernel with nf_tables module enabled
- Systems using nftables for packet filtering and firewall rules
- Linux distributions with vulnerable kernel versions
Discovery Timeline
- 2026-03-28 - CVE CVE-2026-23399 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-23399
Vulnerability Analysis
The vulnerability resides in the error handling path of the nft_dynset_new() function within the nf_tables subsystem. When creating dynamic set elements with multiple stateful expressions, the kernel allocates memory for each expression clone using GFP_ATOMIC allocation flags. The issue occurs when the allocation for a subsequent expression fails while a previously cloned expression has already been successfully allocated.
The leaked memory manifests as unreferenced per-CPU allocated objects. The kernel backtrace from the memory leak detection reveals the allocation chain: pcpu_alloc_noprof → nft_counter_clone → nft_expr_clone → nft_dynset_new → nft_rhash_update → nft_dynset_eval → nft_do_chain. This indicates the leak occurs during packet processing when dynamic sets are being updated with new elements containing counter expressions.
Root Cause
The root cause is improper error handling in the nft_dynset component. When multiple stateful expressions need to be cloned for a new dynamic set element, the code fails to properly clean up already-allocated resources when a subsequent allocation fails. Specifically, if the second expression clone fails with GFP_ATOMIC, the first cloned expression is not freed, leaving orphaned memory in the kernel's per-CPU allocation pool.
Attack Vector
An attacker with the ability to generate network traffic that triggers nftables rule evaluation with dynamic sets containing multiple stateful expressions (such as counters) could potentially exploit this vulnerability. By causing repeated allocation failures through high network load or memory pressure scenarios, an attacker could gradually exhaust system memory through accumulated leaks.
The vulnerability is triggered through the following chain:
- Network packets are processed by nftables rules containing dynamic sets
- The nft_dynset_eval() function evaluates the dynamic set operation
- During element update via nft_rhash_update(), new elements are created
- Expression cloning in nft_dynset_new() fails for a subsequent expression
- Previously allocated expressions are leaked
Detection Methods for CVE-2026-23399
Indicators of Compromise
- Gradual increase in kernel memory usage over time, particularly in per-CPU allocations
- KMEMLEAK reports showing unreferenced objects with backtraces pointing to nft_counter_clone or nft_expr_clone
- System logs indicating memory allocation failures in the nf_tables module
- Performance degradation in network packet processing under sustained traffic
Detection Strategies
- Enable kernel memory leak detection (CONFIG_DEBUG_KMEMLEAK) to identify unreferenced objects in nf_tables
- Monitor /proc/meminfo for unexpected growth in kernel memory allocations
- Implement alerting on dmesg entries containing nf_tables allocation failures
- Use kernel tracing tools to monitor nft_dynset_new() error paths
Monitoring Recommendations
- Deploy memory monitoring solutions to track kernel per-CPU allocation pools
- Configure syslog forwarding to capture kernel memory warnings
- Establish baseline memory usage for systems running nftables firewalls
- Implement automated alerting when kernel memory consumption exceeds normal thresholds
How to Mitigate CVE-2026-23399
Immediate Actions Required
- Apply the latest kernel patches that address this memory leak vulnerability
- Monitor affected systems for signs of memory exhaustion
- Consider temporarily reducing complexity of nftables rules with multiple stateful expressions if patches cannot be immediately applied
- Schedule maintenance windows for kernel updates on production systems
Patch Information
The Linux kernel maintainers have released fixes for this vulnerability across multiple stable kernel branches. The patches ensure proper cleanup of cloned stateful expressions when allocation failures occur in the error path. The following commits address this issue:
- Kernel Git Commit 0548a13
- Kernel Git Commit 31641c6
- Kernel Git Commit c88a9fd
- Kernel Git Commit d135487
Workarounds
- Reduce the number of stateful expressions (counters, rate limiters) in dynamic set configurations where possible
- Implement periodic system reboots on affected systems as a temporary measure to clear accumulated memory leaks
- Monitor memory usage closely and restart systems proactively before memory exhaustion occurs
- Consider using alternative firewall configurations that do not rely heavily on dynamic sets with multiple stateful expressions
# Check current kernel version
uname -r
# Verify nf_tables module status
lsmod | grep nf_tables
# Monitor kernel memory usage
cat /proc/meminfo | grep -E "(MemFree|Slab|SUnreclaim)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
