CVE-2026-45901 Overview
CVE-2026-45901 is a Linux kernel vulnerability in the netfilter subsystem, specifically within the nf_tables reset path. The issue stems from incorrect use of commit_mutex, which produces a circular lock dependency between commit_mutex, nfnl_subsys_ipset, and nlk_cb_mutex. The deadlock condition triggers when nft reset, ipset list, and iptables-nft with the -m set rule execute concurrently. The kernel maintainers resolved the issue by reverting commit_mutex usage in the reset path, since previous patches already made individual reset handlers safe to run concurrently.
Critical Impact
Concurrent execution of netfilter administrative commands can cause kernel deadlock conditions, leading to denial of service on affected Linux systems.
Affected Products
- Linux kernel versions containing the nf_tables reset path with commit_mutex usage
- Systems running ipset alongside nftables
- Systems using iptables-nft compatibility layer with -m set rules
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-45901 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45901
Vulnerability Analysis
The vulnerability resides in the Linux kernel netfilternf_tables subsystem. The reset path acquired commit_mutex to serialize reset operations. This lock acquisition order conflicts with locks held by adjacent subsystems, including nfnl_subsys_ipset and nlk_cb_mutex.
When nft reset, ipset list, and iptables-nft with -m set rules execute simultaneously, the kernel can enter a circular lock dependency state. The lockdep validator flags this pattern as a potential deadlock. Under contention, threads waiting on mutually held mutexes stall kernel netfilter operations and can render the firewall subsystem unresponsive.
The upstream fix reverts the commit_mutex usage in the reset path. Previous patches had already restructured individual reset handlers to operate safely under concurrent invocation, removing the need for the broader mutex.
Root Cause
The root cause is improper lock ordering between three kernel mutexes: commit_mutex in nf_tables, nfnl_subsys_ipset in the ipset subsystem, and nlk_cb_mutex in the netlink callback layer. Each lock is acquired in a different order depending on the operation path, creating a classic deadlock condition [CWE-667]. This is a race condition tied to lock hierarchy violations rather than data corruption.
Attack Vector
Exploitation requires local privileges sufficient to invoke netfilter management commands. An unprivileged user cannot directly trigger the condition because nft, ipset, and iptables-nft operations typically require CAP_NET_ADMIN. However, in environments where multiple administrative scripts, container orchestrators, or configuration management tools concurrently manipulate firewall state, the deadlock can occur during normal operation. The resulting impact is denial of service rather than code execution or privilege escalation.
The vulnerability mechanism is documented in the upstream kernel commits. See the kernel commit 7f261bb906bf and kernel commit ee3978b6a0dc for technical details.
Detection Methods for CVE-2026-45901
Indicators of Compromise
- Kernel lockdep warnings referencing commit_mutex, nfnl_subsys_ipset, or nlk_cb_mutex in dmesg or /var/log/kern.log
- Hung task warnings tied to nft, ipset, or iptables-nft processes
- Stalled netfilter management commands that fail to return
Detection Strategies
- Audit kernel version against the patched commits 7f261bb906bf and ee3978b6a0dc on affected stable branches
- Monitor for processes in D (uninterruptible sleep) state invoking netfilter syscalls
- Enable CONFIG_PROVE_LOCKING in test environments to surface lock dependency issues before production deployment
Monitoring Recommendations
- Collect dmesg output centrally and alert on lockdep splat patterns mentioning the named mutexes
- Track concurrent invocations of nft, ipset, and iptables-nft from orchestration tooling
- Baseline expected netfilter command latency and alert on sustained anomalies
How to Mitigate CVE-2026-45901
Immediate Actions Required
- Apply the upstream kernel patches that revert commit_mutex usage in the nf_tables reset path
- Update to a Linux kernel stable release containing commits 7f261bb906bf and ee3978b6a0dc
- Audit automation that concurrently manipulates nftables and ipset state
Patch Information
The fix is available in the upstream Linux kernel via two commits: 7f261bb906bf and ee3978b6a0dc. Distribution maintainers backport these commits into their stable kernel branches. Verify the running kernel version with uname -r and confirm the patch is present in the changelog.
Workarounds
- Serialize netfilter administrative operations so nft reset, ipset list, and iptables-nft with -m set rules do not execute concurrently
- Wrap firewall management scripts with a global lock such as flock to prevent parallel invocation
- Limit privileged automation accounts that issue netfilter commands until the kernel is patched
# Serialize netfilter administrative commands using flock
( flock -x 200
nft reset counters
ipset list
iptables-nft -L
) 200>/var/lock/netfilter-admin.lock
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
