CVE-2026-23351
Published: 25 March 2026
Summary
CVE-2026-23351 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through applying the specified Linux kernel patches directly eliminates the use-after-free vulnerability in nft_set_pipapo garbage collection.
Denial-of-service protections limit resource consumption to prevent prolonged non-preemptible GC from triggering soft lockups and RCU stalls.
System monitoring detects indicators of exploitation such as soft lockup warnings and RCU stall reports from excessive expired elements.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel UAF in netfilter enables local DoS via prolonged GC/RCU stalls (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for…
more
a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
Deeper analysisAI
CVE-2026-23351 is a use-after-free vulnerability in the Linux kernel's netfilter subsystem, specifically the nft_set_pipapo set type. It affects systems using this component for network filtering sets. The issue arises when a large number of expired elements cause the commit-time garbage collection (GC) to execute for an extended period in a non-preemptible context, triggering soft lockup warnings and RCU stall reports, which manifest as a local denial of service.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability by generating a high volume of expired elements in the pipapo set. This forces prolonged GC during commit operations, leading to system stalls. The CVSS v3.1 base score of 7.8 (C:H/I:H/A:H) reflects high potential impacts on confidentiality, integrity, and availability, classified under CWE-416.
Mitigation is provided through kernel patches that split the GC process into distinct unlink and reclaim phases, ensuring expired elements are not queued for freeing until pointers are safely swapped, preventing exposure to packet paths and userspace dumpers. Relevant stable kernel commits include 16f3595c0441d87dfa005c47d8f95be213afaa9e, 500a50a301ce962b019ab95053ac70264fec2c21, 65ca51b9fb85477ab92a04295aed34b38f7c062e, 7864c667aed01a58b87ca518a631322cd0ac34c0, and 9df95785d3d8302f7c066050117b04cd3c2048c2, available at git.kernel.org.
Details
- CWE(s)