CVE-2026-23458 Overview
CVE-2026-23458 is a use-after-free vulnerability in the Linux kernel's netfilter ctnetlink subsystem. The flaw resides in the ctnetlink_dump_exp_ct() function, which stores a conntrack pointer in cb->data for the netlink dump callback but releases the conntrack reference immediately after calling netlink_dump_start(). When a dump spans multiple rounds, a subsequent recvmsg() call triggers the dump callback, which dereferences the freed conntrack via nfct_help(ct), producing a use-after-free on ct->ext.
Critical Impact
A local user with network namespace access can trigger memory corruption in the kernel via crafted netlink dump operations, leading to potential privilege escalation or denial of service.
Affected Products
- Linux kernel (mainline) — netfilter / ctnetlink subsystem
- Distribution kernels built from affected upstream commits
- Systems exposing NFNL_SUBSYS_CTNETLINK_EXP to unprivileged user namespaces
Discovery Timeline
- 2026-04-03 - CVE-2026-23458 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-23458
Vulnerability Analysis
The vulnerability is a use-after-free [CWE-416] in the connection-tracking netlink (ctnetlink) interface. ctnetlink_dump_exp_ct() initiates a netlink dump using a netlink_dump_control structure that lacks .start and .done callbacks. The function passes a nf_conn pointer through cb->data but drops its reference count before the dump completes.
Netlink dumps can be multi-round operations. The kernel preserves cb->data across rounds but does not preserve the reference. When userspace issues the next recvmsg(), the dump resumes and dereferences a conntrack object that has already been freed via RCU. The KASAN report shows the read occurring in ctnetlink_exp_ct_dump_table() at offset 0x4f, where nfct_help(ct) accesses ct->ext.
Root Cause
The root cause is asymmetric reference-counting around the netlink dump lifecycle. Other dump handlers in the same file, such as ctnetlink_get_conntrack, correctly install .start and .done callbacks that acquire and release the conntrack reference for the duration of the dump. ctnetlink_dump_exp_ct() omitted these handlers, so the conntrack object can be freed by slab_free_after_rcu_debug while a dump round is still pending in user space.
Attack Vector
Exploitation requires local access and the ability to send netlink messages to NFNL_SUBSYS_CTNETLINK_EXP. An attacker creates a conntrack entry, issues an expectation dump request, and arranges for the dump to span multiple recvmsg() rounds. Between rounds the conntrack is freed and its slab can be reallocated to attacker-controlled data. The next dump round reads through nfct_help(ct) into the reallocated memory, producing controlled out-of-bounds dereferences that can be shaped into privilege escalation on systems where unprivileged user namespaces are enabled.
The vulnerability is described in prose because no public proof-of-concept exploit is available. Refer to the upstream fixes in Kernel Commit 04c8907 and Kernel Commit f04cc86 for the exact source-level changes.
Detection Methods for CVE-2026-23458
Indicators of Compromise
- Kernel oops or KASAN reports referencing ctnetlink_exp_ct_dump_table or nfct_help in the call trace.
- Unexpected slab-use-after-free messages in dmesg involving nf_conntrack slab caches.
- Processes issuing repeated NFNL_MSG_EXP_GET netlink requests with large dump windows from non-root user namespaces.
Detection Strategies
- Audit auditd and eBPF telemetry for sendmsg/recvmsg system calls targeting NETLINK_NETFILTER from unprivileged processes.
- Enable CONFIG_KASAN in test and pre-production kernels to surface the use-after-free deterministically.
- Alert on kernel crashes that include ctnetlink_exp_ct_dump_table+0x4f in the faulting program counter.
Monitoring Recommendations
- Centralize kernel logs and watch for KASAN, oops, and panic signatures referencing netfilter symbols.
- Track processes that create user namespaces and then open AF_NETLINK sockets with NETLINK_NETFILTER protocol.
- Monitor for repeated short recvmsg() reads on netfilter netlink sockets, consistent with multi-round dump abuse.
How to Mitigate CVE-2026-23458
Immediate Actions Required
- Apply the upstream kernel patches listed in the references and rebuild affected kernels.
- Where patching is not yet possible, restrict access to CAP_NET_ADMIN and disable unprivileged user namespaces via kernel.unprivileged_userns_clone=0.
- Inventory all Linux hosts and container hosts running affected kernel versions and prioritize remediation on multi-tenant systems.
Patch Information
The fix adds .start and .done callbacks to the netlink_dump_control used by ctnetlink_dump_exp_ct(). These callbacks hold a conntrack reference for the lifetime of the dump and release it when the dump completes. The nfct_help() call is also moved after the cb->args[0] early-return check to avoid touching ct->ext unnecessarily. The fix is distributed across stable trees in commits 04c8907, 5cb81ee, 9821b47, bdf2724, cd541f1, d8cd0ef, f025171, and f04cc86.
Workarounds
- Disable unprivileged user namespaces with sysctl -w kernel.unprivileged_userns_clone=0 on distributions that expose this toggle.
- Block or restrict NETLINK_NETFILTER access from untrusted workloads using seccomp profiles or container runtime policies.
- Unload or blacklist nf_conntrack_netlink on hosts that do not require conntrack management from user space.
# Configuration example
# Disable unprivileged user namespaces to limit local attack surface
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf
# Restrict the nf_conntrack_netlink module on hosts that do not need it
echo 'install nf_conntrack_netlink /bin/true' > /etc/modprobe.d/blacklist-ctnetlink.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
