CVE-2026-23391
Published: 25 March 2026
Summary
CVE-2026-23391 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-3 (Configuration Change Control).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-23391 by applying kernel patches that flush pending enqueued packets upon netfilter xt_CT template removal, preventing invalid object dereferences.
Vulnerability monitoring and scanning identifies Linux kernel versions affected by CVE-2026-23391, enabling proactive patching before local exploitation.
Configuration change control restricts unsafe netfilter template removals, such as during module unload or timeout policy changes, while packets remain enqueued in nfqueue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption (use-after-free via nfqueue template removal) directly enables privilege escalation via arbitrary code execution from low-privileged context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be…
more
an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.
Deeper analysisAI
CVE-2026-23391 is a vulnerability in the Linux kernel's netfilter xt_CT component, where templates referencing objects such as helpers or timeout policies can be removed while packets remain enqueued in nfqueue. This occurs during scenarios like module removal or nfnetlink_cttimeout policy changes, potentially leading to issues when those objects are dereferenced. Templates using zone and event cache filters are unaffected, as they only copy values. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, likely through mishandling of enqueued packets after template removal, such as crashes or arbitrary code execution stemming from invalid object references.
Mitigation involves applying kernel patches from the provided stable commit references, which implement flushing (dropping) of pending enqueued packets upon template rule removal. Key commits include 19a230dec6bb8928e3f96387f9085cf2c79bcef9, 55445134d42b84cb0a272e42c98d233ca65eca83, 63b8097cea1923fe82cd598068d0796da8c015ec, 777d02efe3d630cca4c1b63962cec17c57711325, and cb549925875fa06dd155e49db4ac2c5044c30f9c, available via git.kernel.org.
Details
- CWE(s)