Cyber Resilience

CVE-2026-23391

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23391 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-3 (Configuration Change Control).

Deeper analysis

CVE-2026-23391 is a vulnerability in the Linux kernel's netfilter xt_CT component, where templates referencing objects such as helpers or timeout policies can be removed while packets remain enqueued in nfqueue. This occurs during scenarios like module removal or nfnetlink_cttimeout policy changes, potentially leading to issues when those objects are dereferenced. Templates using zone and event cache filters are unaffected, as they only copy values. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, likely through mishandling of enqueued packets after template removal, such as crashes or arbitrary code execution stemming from invalid object references.

Mitigation involves applying kernel patches from the provided stable commit references, which implement flushing (dropping) of pending enqueued packets upon template rule removal. Key commits include 19a230dec6bb8928e3f96387f9085cf2c79bcef9, 55445134d42b84cb0a272e42c98d233ca65eca83, 63b8097cea1923fe82cd598068d0796da8c015ec, 777d02efe3d630cca4c1b63962cec17c57711325, and cb549925875fa06dd155e49db4ac2c5044c30f9c, available via git.kernel.org.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be…

more

an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel memory corruption (use-after-free via nfqueue template removal) directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.4, 7.0 · 3.4.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-23391 by applying kernel patches that flush pending enqueued packets upon netfilter xt_CT template removal, preventing invalid object dereferences.

detect

Vulnerability monitoring and scanning identifies Linux kernel versions affected by CVE-2026-23391, enabling proactive patching before local exploitation.

prevent

Configuration change control restricts unsafe netfilter template removals, such as during module unload or timeout policy changes, while packets remain enqueued in nfqueue.

References