Cyber Resilience

CVE-2026-23412

High

Published: 02 April 2026

Published
02 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23412 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23412 is a use-after-free vulnerability in the Linux kernel's netfilter BPF subsystem. It occurs during concurrent operations where one process dumps netfilter hooks via nfnetlink_hooks, leading to a slab-use-after-free detected by KASAN in the nfnl_hook_dump_one function. The issue stems from premature memory release of hooks before RCU readers complete, affecting Linux kernel versions prior to the application of the fixing commits.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel crashes, data corruption, or potential arbitrary code execution due to the use-after-free condition (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; CWE-416).

Mitigation involves applying the upstream kernel patches, which defer hook memory release until after concurrent RCU readers have finished. Relevant stable backports are available in the following commits: 24f90fa3994b992d1a09003a3db2599330a5232a, 54244d54a971c26a0cd0a9073460ff71f3c51b32, c25e0dec366ae99b7264324ce3c7cbaea34691f9, cb2bf5efdb02a2a59faf603604a1066e8266f349, and d016c216bc75c45128160593a77b864a04dbe7c0.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of…

more

size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in kernel netfilter allows direct exploitation for privilege escalation to kernel-level code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.4, 7.0 · 6.4.1 — 6.6.130 · 6.7 — 6.12.78 · 6.13 — 6.18.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and timely remediation of the use-after-free flaw in the Linux kernel netfilter BPF subsystem through patch application.

prevent

Provides memory protection safeguards like address space layout randomization and data execution prevention to mitigate exploitation of the use-after-free condition.

detect

Requires vulnerability scanning and monitoring to identify systems vulnerable to CVE-2026-23412 for prompt flaw remediation.

References