CVE-2026-31665
Published: 24 April 2026
Summary
CVE-2026-31665 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the use-after-free in nft_ct_timeout_obj_destroy by mandating kernel patches that replace kfree() with kfree_rcu().
Least functionality restricts or prohibits unnecessary nftables/netfilter nft_ct features, preventing creation and destruction of vulnerable timeout objects.
Memory protection mechanisms like kernel ASLR and other safeguards minimize successful exploitation of the concurrent RCU reference use-after-free.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in netfilter directly enables arbitrary code execution for privilege escalation (T1068) or intentional system crash for DoS (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other…
more
CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0
Deeper analysisAI
CVE-2026-31665 is a use-after-free vulnerability in the Linux kernel's netfilter nft_ct subsystem. The issue arises in nft_ct_timeout_obj_destroy(), which calls kfree() on a timeout object immediately after nf_ct_untimeout(), without waiting for an RCU grace period. This allows concurrent packet processing on other CPUs to retain RCU-protected references to the freed object, obtained via rcu_dereference() in nf_ct_timeout_data(). A KASAN report confirms the use-after-free during nf_conntrack_tcp_packet, triggered in the call chain from tcp_sendmsg_locked and __sys_sendto.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability. By initializing and destroying nft_ct timeout objects via nf_tables_newobj and nf_tables_trans_destroy_work, while simultaneously processing packets through nf_conntrack_in and nf_hook_slow, the attacker can access the freed memory. The CVSS v3.1 base score of 7.8 (C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, potentially enabling code execution or denial of service.
Mitigation requires updating to patched Linux kernel versions, as detailed in the referenced stable branch commits. These patches add an rcu_head to struct nf_ct_timeout and replace kfree() with kfree_rcu() to defer freeing until after an RCU grace period, aligning with the handling in nfnetlink_cttimeout.c.
Details
- CWE(s)