CVE-2026-53349 Overview
CVE-2026-53349 is a Linux kernel vulnerability in the netfilter subsystem, specifically within nf_conntrack NAT helper handling. NAT helpers such as nf_nat_h323 store a raw pointer to module text in exp->expectfn. The function nf_ct_helper_expectfn_unregister() only unlinks the callback descriptor without walking the expectation table. As a result, any expectation still pending at module removal survives with a dangling exp->expectfn pointer into freed module text. When the expected connection later arrives, init_conntrack() invokes the stale pointer, producing a kernel oops or potentially arbitrary kernel execution.
Critical Impact
A local actor with CAP_SYS_MODULE in the initial user namespace can unload a NAT helper module with active expectations, leaving dangling function pointers that trigger on the next matching connection.
Affected Products
- Linux kernel with nf_conntrack and NAT helper modules such as nf_nat_h323
- Systems using H.323, SIP, or other conntrack helpers with expectfn callbacks
- Kernel builds where the netfilter conntrack helper framework is enabled
Discovery Timeline
- 2026-07-01 - CVE-2026-53349 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53349
Vulnerability Analysis
The defect is a use-after-free of module text triggered through the netfilter expectation subsystem [CWE-416]. NAT helpers register callback descriptors that expose an expectfn function pointer. When a helper such as nf_nat_h323 creates a Q.931 expectation, that expectation records the address of ip_nat_q931_expect in exp->expectfn. The unregister path removes the descriptor but leaves the expectation object referencing code that will soon be freed.
When the expected flow arrives, init_conntrack() in net/netfilter/nf_conntrack_core.c calls exp->expectfn(). If the owning module has been unloaded, control transfers to freed memory. On a KASAN build the reproducer produces an int3 oops inside init_conntrack.isra.0 at net/netfilter/nf_conntrack_core.c:1862, then unwinds through nf_conntrack_in, ipv4_conntrack_local, nf_hook_slow, and the TCP output path.
Root Cause
nf_ct_helper_expectfn_unregister() unlinks the descriptor without traversing the expectation table to drop entries whose ->expectfn points into the departing module. The expectation lifecycle therefore outlives the code it references.
Attack Vector
Reaching the dangling state requires CAP_SYS_MODULE in the initial user namespace, so this is a robustness fix rather than a remote flaw. The reproducer loads the H.323 helpers, creates a Q.931 expectation, unloads nf_nat_h323, then connects to the expected port to trigger the stale call.
No verified public exploit code is available. See the upstream commits in the Linux kernel stable tree for the applied fix.
Detection Methods for CVE-2026-53349
Indicators of Compromise
- Kernel oops entries referencing init_conntrack with a faulting RIP in a region previously belonging to an unloaded netfilter module
- dmesg output showing Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323] immediately before a crash
- Unexpected int3 or general protection faults inside the netfilter conntrack hook chain
Detection Strategies
- Audit kernel module load and unload events, particularly nf_nat_h323, nf_nat_sip, and other NAT helpers, correlated with subsequent kernel faults
- Enable KASAN on test systems to surface use-after-free access to freed module text
- Alert on any process invoking delete_module(2) or finit_module(2) against netfilter helper modules on production hosts
Monitoring Recommendations
- Forward /var/log/kern.log and journalctl -k output to a central log store and search for oops signatures involving nf_conntrack_in or init_conntrack
- Track processes holding CAP_SYS_MODULE and log any module removal activity via auditd rules on the init_module and delete_module syscalls
- Baseline expected NAT helper module state and alert when helpers unload on systems where they are normally persistent
How to Mitigate CVE-2026-53349
Immediate Actions Required
- Apply the upstream kernel patches that introduce nf_ct_helper_expectfn_destroy() to walk the expectation table and drop entries whose ->expectfn matches the descriptor being torn down
- Restrict CAP_SYS_MODULE to trusted administrative accounts and reject the capability in unprivileged containers
- Rebuild and redeploy kernels for long-lived hosts that keep netfilter NAT helpers loaded
Patch Information
The fix adds nf_ct_helper_expectfn_destroy(), which is called from each NAT helper's exit path after the existing RCU grace period. This ensures no expectation outlives the code it points at, and no additional synchronize_rcu() is required. Refer to the upstream commits: 29d8cc44bbdf, 9d017671dcfc, bf8c0b5dd203, c3009418f9fa, f92c90a2a3e6, and fbfde85308b9.
Workarounds
- Avoid unloading netfilter NAT helper modules (nf_nat_h323, nf_nat_sip, etc.) on running systems until the patch is applied
- Blacklist unused NAT helper modules via /etc/modprobe.d/ so they never load and cannot create expectations
- Lock module operations at boot with kernel.modules_disabled=1 on systems that do not require dynamic module changes
# Prevent unused NAT helpers from loading
echo 'install nf_nat_h323 /bin/true' | sudo tee /etc/modprobe.d/disable-nf-nat-h323.conf
echo 'install nf_nat_sip /bin/true' | sudo tee -a /etc/modprobe.d/disable-nf-nat-sip.conf
# Lock module state after boot on stable production hosts
sudo sysctl -w kernel.modules_disabled=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

