Cyber Resilience

CVE-2026-23274

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23274 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2026-23274 is a vulnerability in the Linux kernel's netfilter subsystem, specifically the xt_IDLETIMER module. It arises from improper handling of timer labels between IDLETIMER revision 0 and revision 1 rules. Revision 0 rules reuse existing timers by label and invoke mod_timer() on the timer->timer field. However, if the label was first created by revision 1 using XT_IDLETIMER_ALARM semantics, the timer->timer field remains uninitialized. Attempting to reuse such an object from revision 0 triggers debugobjects warnings and can lead to a kernel panic when panic_on_warn=1 is enabled.

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of user interaction requirement (UI:N). By inserting a revision 0 IDLETIMER rule that reuses a label previously established by a revision 1 ALARM timer, the attacker triggers mod_timer() on an uninitialized timer_list structure. This results in high-impact consequences across confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially causing system instability or denial of service through kernel panic.

The provided references point to stable kernel commit patches that mitigate the issue by rejecting insertion of revision 0 rules when an existing timer with the same label is of ALARM type. These fixes, available in kernel stable trees (e.g., commits 144f88054ba0, 28c7cfaf0c0a, 329f0b9b48ee, 32e937dc6e97, and 540803559993), prevent the reuse scenario and eliminate the risk of uninitialized timer access. Security practitioners should update to patched kernel versions incorporating these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first…

more

by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel vulnerability in netfilter allowing low-privileged attacker to trigger uninitialized memory access leading to panic or potential privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.7 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identifying, prioritizing, assessing, and patching kernel flaws like the xt_IDLETIMER timer reuse issue to eliminate the uninitialized timer_list access.

prevent

Requires receiving, disseminating, and acting on security alerts and advisories for kernel vulnerabilities such as CVE-2026-23274 to enable timely patching.

preventdetect

Vulnerability scanning and monitoring detect outdated kernels susceptible to CVE-2026-23274, triggering remediation to prevent local exploitation.

References