CVE-2026-23392
Published: 25 March 2026
Summary
CVE-2026-23392 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-23392 is a use-after-free vulnerability (CWE-416) in the Linux kernel's netfilter nf_tables subsystem. The issue arises during error paths when unregistering hooks for a flowtable, where the flowtable is released without calling synchronize_rcu(). This can expose the flowtable to the packet path or nfnetlink_hook control plane if a referring hook is already registered. The flaw was uncovered by KASAN, reporting a use-after-free in the nfnetlink_hook path during hook dumps. It affects Linux kernels using nf_tables flowtables and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Error paths are rare, typically triggered by reaching the maximum number of hooks, hardware offload failures, or late-stage EEXIST checks for device hooks.
A local attacker with low privileges can exploit this vulnerability by triggering the affected error path in nf_tables flowtable setup. Once exposed, the freed flowtable can be accessed via registered hooks in the packet processing or nfnetlink paths, potentially leading to high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution or system crashes.
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commits: https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060, https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065, https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd, https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8, and https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce. These patches add synchronize_rcu() calls on error paths and suggest earlier checks in the hook parser to further reduce error occurrences.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15393
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be…
more
already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu(). There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local UAF in kernel nf_tables enables direct exploitation for privilege escalation to root via crafted flowtable error paths.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates prompt identification, reporting, and correction of system flaws, directly mitigating this use-after-free vulnerability through application of the upstream kernel patches.
Requires secure handling of errors and exceptions, addressing the deficient error path in nf_tables flowtable release that fails to synchronize RCU before freeing.
Provides safeguards such as address space randomization and non-executable memory to limit exploitation impact of kernel use-after-free vulnerabilities.