CVE-2026-23412
Published: 02 April 2026
Summary
CVE-2026-23412 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and timely remediation of the use-after-free flaw in the Linux kernel netfilter BPF subsystem through patch application.
Provides memory protection safeguards like address space layout randomization and data execution prevention to mitigate exploitation of the use-after-free condition.
Requires vulnerability scanning and monitoring to identify systems vulnerable to CVE-2026-23412 for prompt flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel netfilter allows direct exploitation for privilege escalation to kernel-level code execution.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of…
more
size 8 at addr ffff888003edbf88 by task poc/79 Call Trace: <TASK> nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..] Defer release until after concurrent readers have completed.
Deeper analysisAI
CVE-2026-23412 is a use-after-free vulnerability in the Linux kernel's netfilter BPF subsystem. It occurs during concurrent operations where one process dumps netfilter hooks via nfnetlink_hooks, leading to a slab-use-after-free detected by KASAN in the nfnl_hook_dump_one function. The issue stems from premature memory release of hooks before RCU readers complete, affecting Linux kernel versions prior to the application of the fixing commits.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel crashes, data corruption, or potential arbitrary code execution due to the use-after-free condition (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; CWE-416).
Mitigation involves applying the upstream kernel patches, which defer hook memory release until after concurrent RCU readers have finished. Relevant stable backports are available in the following commits: 24f90fa3994b992d1a09003a3db2599330a5232a, 54244d54a971c26a0cd0a9073460ff71f3c51b32, c25e0dec366ae99b7264324ce3c7cbaea34691f9, cb2bf5efdb02a2a59faf603604a1066e8266f349, and d016c216bc75c45128160593a77b864a04dbe7c0.
Details
- CWE(s)