CVE-2026-46324 Overview
CVE-2026-46324 affects the Linux kernel netfilter subsystem, specifically the nf_tables component. The vulnerability stems from improper list manipulation in nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks functions. These functions used non-RCU list deletion primitives on lists that can be traversed concurrently by netlink dumpers. The patch resolves the issue by switching to list_del_rcu() and introducing a shared helper to ensure consistent usage across the netfilter netlink hook teardown paths.
Critical Impact
Concurrent access to netlink hook lists during unregistration can cause unsafe memory access in kernel space, potentially leading to denial of service or memory corruption on affected Linux systems.
Affected Products
- Linux kernel (netfilter nf_tables subsystem)
- Distributions shipping the affected upstream kernel versions
- Systems using nftables with netdev hooks or flowtables
Discovery Timeline
- 2026-06-09 - CVE CVE-2026-46324 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46324
Vulnerability Analysis
The vulnerability resides in the Linux kernel netfilter nf_tables netlink hook management code. Two functions, nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks, remove entries from hook lists during teardown. These lists are walked by concurrent netlink dumpers that rely on Read-Copy-Update (RCU) semantics for safe traversal. Using non-RCU list deletion routines while readers traverse the list concurrently creates a race condition between writers and readers. A dumper may observe a partially unlinked entry or follow a stale pointer, resulting in undefined behavior in kernel space.
Root Cause
The root cause is the inconsistent use of list manipulation primitives. Removal paths used standard list_del() style operations while concurrent readers traversed the same lists under RCU protection. The fix introduces a new helper that consistently uses list_del_rcu() so concurrent dumpers see a coherent list state during unregistration. This aligns the writer side with the reader side that already operates under RCU.
Attack Vector
The enriched data does not specify a confirmed exploitation path or privilege requirement. The race condition is triggered by concurrent operations: hook unregistration and netlink dumping of nftables state. Triggering the race typically requires the ability to issue netlink operations against nf_tables, which on default configurations requires CAP_NET_ADMIN in the relevant network namespace. Refer to the upstream kernel commits for technical details on the race window and affected code paths.
See the upstream fix commits for the precise code changes: Kernel commit 0bd93ce, Kernel commit 0f33e8a, and Kernel commit f3224ee.
Detection Methods for CVE-2026-46324
Indicators of Compromise
- Kernel oops, NULL pointer dereference, or general protection fault traces referencing nft_netdev_unregister_hooks or __nft_unregister_flowtable_net_hooks.
- Unexpected kernel panics or soft lockups during heavy nftables configuration churn combined with concurrent nft list or netlink dump activity.
- KASAN reports identifying use-after-free or list corruption within the nf_tables netlink hook code paths.
Detection Strategies
- Audit running kernel versions against the patched upstream commits and distribution security advisories to identify unpatched hosts.
- Enable kernel address sanitizer (KASAN) and lockdep in non-production environments to surface list corruption and RCU misuse.
- Collect and centralize dmesg and /var/log/kern.log output to detect oops signatures involving the netfilter netlink hook functions.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on stack traces involving nf_tables unregister paths.
- Track processes invoking nftables administrative commands and correlate with kernel fault events.
- Monitor for unexpected reboots or kernel crashes on hosts that expose nf_tables management to multiple administrative tools or container runtimes.
How to Mitigate CVE-2026-46324
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree commits and update to a kernel release that includes the list_del_rcu() fix.
- Track and install vendor kernel updates from your Linux distribution as they become available.
- Restrict CAP_NET_ADMIN and netlink access to nf_tables to trusted administrative users and workloads.
Patch Information
The fix is published in the upstream Linux kernel stable tree. The relevant commits are 0bd93ce4f3c3, 0f33e8ad6ac5, and f3224ee463f8. These commits replace non-RCU list deletion with list_del_rcu() in the affected netlink hook teardown paths and add a shared helper for consistent usage. Apply the corresponding distribution kernel update once available.
Workarounds
- Limit creation, modification, and teardown of nf_tables netdev hooks and flowtables to controlled change windows to reduce race exposure.
- Restrict containers and unprivileged workloads from obtaining CAP_NET_ADMIN in host or shared network namespaces.
- Reduce concurrent netlink dump operations against nf_tables while administrative changes are in progress.
# Identify running kernel version and verify patched build
uname -r
# Example: update kernel on Debian/Ubuntu and reboot
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | sed 's/.*-//')
sudo reboot
# Example: update kernel on RHEL/Fedora and reboot
sudo dnf update kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
