CVE-2026-46319: Linux Kernel Use-After-Free Vulnerability

CVE-2026-46319 Overview

CVE-2026-46319 is a use-after-free (UAF) vulnerability in the Linux kernel's net/sched subsystem, specifically within the act_ct connection tracking action. The flaw resides in tcf_ct_flow_table_get(), where an RCU read lock is released prematurely before a reference count is incremented on the returned ct_ft flow table object. An attacker who wins the resulting race window can access a freed tcf_ct_flow_table structure, leading to memory corruption and potential local privilege escalation. The vulnerability was reported through Trend Micro's Zero Day Initiative (ZDI).

Critical Impact

Successful exploitation of the race condition allows local attackers to corrupt kernel memory through a use-after-free on the ct_ft object, enabling privilege escalation to root.

Affected Products

• Linux kernel versions containing the vulnerable tcf_ct_flow_table_get() implementation in net/sched/act_ct.c
• Distributions shipping the affected stable kernel branches prior to the upstream fix
• Systems with traffic control (tc) connection tracking actions enabled

Discovery Timeline

• 2026-06-09 - CVE-2026-46319 published to NVD
• 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-46319

Vulnerability Analysis

The vulnerability is a classic time-of-check to time-of-use (TOCTOU) race condition in kernel RCU handling. The function tcf_ct_flow_table_get() calls rhashtable_lookup_fast() to retrieve a tcf_ct_flow_table pointer from the zones_ht hash table. Internally, rhashtable_lookup_fast() opens an RCU read critical section using rcu_read_lock(), performs the lookup, and then immediately closes it with rcu_read_unlock() before returning the pointer.

Once the function returns, the caller still holds a raw pointer to ct_ft, but no RCU protection or reference count guards the object. The caller subsequently invokes refcount_inc_not_zero(&ct_ft->ref) to take ownership. Between the RCU unlock and the refcount increment, a concurrent thread can drop the final reference, trigger tcf_ct_flow_table_put(), and schedule tcf_ct_flow_table_cleanup_work() via queue_rcu_work(). The cleanup worker calls kfree(ct_ft), freeing the object before the original thread dereferences it.

Root Cause

The root cause is the premature termination of the RCU read-side critical section inside rhashtable_lookup_fast(). The returned object lifetime is no longer guaranteed by RCU at the moment the caller attempts to acquire a reference. The originally narrow race window can be widened during research by inserting msleep(100) between the lookup and the refcount operation, confirming exploitability.

Attack Vector

A local attacker with the ability to create and manipulate traffic control filters (typically requiring CAP_NET_ADMIN within a user namespace on systems where unprivileged user namespaces are enabled) can repeatedly trigger creation and teardown of act_ct actions across conflicting CPUs. By racing the lookup path against the cleanup work, the attacker forces the kernel to operate on a freed tcf_ct_flow_table structure. Reclaiming the freed slab slot with attacker-controlled data enables kernel memory corruption suitable for privilege escalation.

The upstream fix moves the refcount_inc_not_zero() call inside the RCU read-side critical section, ensuring ct_ft cannot be freed before the reference is safely acquired. The patch is distributed across multiple stable branches in commits including 17dfb67cb399, 3e20e1b3058e, 4c727c6967a4, 67c9ecc9f257, a2e0c045c87a, ece578ca61e5, f23424a0ddad, and f462dca0c841.

Detection Methods for CVE-2026-46319

Indicators of Compromise

• Kernel oops or panic messages referencing tcf_ct_flow_table_get, tcf_ct_flow_table_cleanup_work, or nf_flow_table_free in dmesg or /var/log/kern.log
• KASAN reports identifying use-after-free reads on slab allocations owned by act_ct
• Unexpected processes acquiring root privileges following workloads that heavily manipulate tc filters

Detection Strategies

• Enable KASAN (Kernel Address Sanitizer) on test and staging kernels to surface UAF accesses against tcf_ct_flow_table allocations
• Audit usage of tc action add action ct and related netlink traffic via auditd rules targeting setsockopt and NETLINK_ROUTE activity
• Monitor for unprivileged processes invoking unshare(CLONE_NEWUSER | CLONE_NEWNET) followed by rapid tc filter churn

Monitoring Recommendations

• Forward kernel logs to a centralized SIEM and alert on repeated act_ct or rhashtable related crashes
• Track creation rates of network namespaces and traffic control rules per user to flag exploitation attempts
• Correlate kernel crash telemetry with subsequent privilege transitions on the same host within short time windows

How to Mitigate CVE-2026-46319

Immediate Actions Required

• Apply the upstream stable kernel updates containing the referenced commits to all affected systems
• Inventory hosts running custom or long-lived kernel builds and prioritize patching of internet-exposed and multi-tenant systems
• Restrict the ability of unprivileged users to create user namespaces where operationally feasible

Patch Information

The Linux kernel maintainers resolved CVE-2026-46319 by relocating the refcount_inc_not_zero() call inside the RCU read-side critical section opened by the flow table lookup, eliminating the race window. Fixes are available across multiple stable trees. Reference the upstream commits at the Kernel Git Commit Log (17dfb67cb399), Kernel Git Commit Log (3e20e1b3058e), Kernel Git Commit Log (4c727c6967a4), Kernel Git Commit Log (67c9ecc9f257), Kernel Git Commit Log (a2e0c045c87a), Kernel Git Commit Log (ece578ca61e5), Kernel Git Commit Log (f23424a0ddad), and Kernel Git Commit Log (f462dca0c841). Rebuild and redeploy distribution kernels that incorporate these patches.

Workarounds

• Disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 to limit attacker access to CAP_NET_ADMIN in nested namespaces
• Remove or restrict installation of the act_ct kernel module on systems that do not require connection tracking traffic actions
• Apply seccomp or AppArmor profiles to untrusted workloads that block tc-related netlink operations

# Configuration example
# Restrict unprivileged user namespace creation
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cve-2026-46319.conf

# Prevent loading of the act_ct module on systems that do not require it
echo 'install act_ct /bin/true' > /etc/modprobe.d/disable-act_ct.conf