Cyber Resilience

CVE-2026-23392

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23392 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-23392 is a use-after-free vulnerability (CWE-416) in the Linux kernel's netfilter nf_tables subsystem. The issue arises during error paths when unregistering hooks for a flowtable, where the flowtable is released without calling synchronize_rcu(). This can expose the flowtable to the packet path or nfnetlink_hook control plane if a referring hook is already registered. The flaw was uncovered by KASAN, reporting a use-after-free in the nfnetlink_hook path during hook dumps. It affects Linux kernels using nf_tables flowtables and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Error paths are rare, typically triggered by reaching the maximum number of hooks, hardware offload failures, or late-stage EEXIST checks for device hooks.

A local attacker with low privileges can exploit this vulnerability by triggering the affected error path in nf_tables flowtable setup. Once exposed, the freed flowtable can be accessed via registered hooks in the packet processing or nfnetlink paths, potentially leading to high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution or system crashes.

Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commits: https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060, https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065, https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd, https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8, and https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce. These patches add synchronize_rcu() calls on error paths and suggest earlier checks in the hook parser to further reduce error occurrences.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be…

more

already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu(). There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local UAF in kernel nf_tables enables direct exploitation for privilege escalation to root via crafted flowtable error paths.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.16, 7.0 · 4.16.1 — 6.1.167 · 6.2 — 6.6.130 · 6.7 — 6.12.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates prompt identification, reporting, and correction of system flaws, directly mitigating this use-after-free vulnerability through application of the upstream kernel patches.

prevent

Requires secure handling of errors and exceptions, addressing the deficient error path in nf_tables flowtable release that fails to synchronize RCU before freeing.

prevent

Provides safeguards such as address space randomization and non-executable memory to limit exploitation impact of kernel use-after-free vulnerabilities.

References