CVE-2026-23274
Published: 20 March 2026
Summary
CVE-2026-23274 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Deeper analysis
CVE-2026-23274 is a vulnerability in the Linux kernel's netfilter subsystem, specifically the xt_IDLETIMER module. It arises from improper handling of timer labels between IDLETIMER revision 0 and revision 1 rules. Revision 0 rules reuse existing timers by label and invoke mod_timer() on the timer->timer field. However, if the label was first created by revision 1 using XT_IDLETIMER_ALARM semantics, the timer->timer field remains uninitialized. Attempting to reuse such an object from revision 0 triggers debugobjects warnings and can lead to a kernel panic when panic_on_warn=1 is enabled.
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of user interaction requirement (UI:N). By inserting a revision 0 IDLETIMER rule that reuses a label previously established by a revision 1 ALARM timer, the attacker triggers mod_timer() on an uninitialized timer_list structure. This results in high-impact consequences across confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially causing system instability or denial of service through kernel panic.
The provided references point to stable kernel commit patches that mitigate the issue by rejecting insertion of revision 0 rules when an existing timer with the same label is of ALARM type. These fixes, available in kernel stable trees (e.g., commits 144f88054ba0, 28c7cfaf0c0a, 329f0b9b48ee, 32e937dc6e97, and 540803559993), prevent the reuse scenario and eliminate the risk of uninitialized timer access. Security practitioners should update to patched kernel versions incorporating these changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13610
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first…
more
by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability in netfilter allowing low-privileged attacker to trigger uninitialized memory access leading to panic or potential privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identifying, prioritizing, assessing, and patching kernel flaws like the xt_IDLETIMER timer reuse issue to eliminate the uninitialized timer_list access.
Requires receiving, disseminating, and acting on security alerts and advisories for kernel vulnerabilities such as CVE-2026-23274 to enable timely patching.
Vulnerability scanning and monitoring detect outdated kernels susceptible to CVE-2026-23274, triggering remediation to prevent local exploitation.