#VU124449 Resource exhaustion in Linux kernel - CVE-2026-23391
Published: March 25, 2026
Vulnerability identifier: #VU124449
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23391
CWE-ID: CWE-400
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the netfilter xt_CT module when handling packet queueing. A local user can trigger the queuing of packets that reference templates, which, upon removal of the template, are not properly flushed, leading to resource exhaustion and system instability.
Templates such as connection tracking helpers or timeout policies may be removed during module unloading or via nfnetlink_cttimeout, leaving packets enqueued without valid references.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/19a230dec6bb8928e3f96387f9085cf2c79bcef9
- https://git.kernel.org/stable/c/63b8097cea1923fe82cd598068d0796da8c015ec
- https://git.kernel.org/stable/c/777d02efe3d630cca4c1b63962cec17c57711325
- https://git.kernel.org/stable/c/cb549925875fa06dd155e49db4ac2c5044c30f9c
- https://git.kernel.org/stable/c/d2d0bae0c9a2a17b6990a2966f5cdce0813d6256
- https://git.kernel.org/stable/c/f62a218a946b19bb59abdd5361da85fa4606b96b