Use-after-free in Linux kernel - CVE-2026-23458
Published: April 6, 2026
Vulnerability identifier: #VU124913
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23458
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ctnetlink_dump_exp_ct() and ctnetlink_exp_ct_dump_table() when handling multi-round netlink dump requests. A local user can trigger a netlink dump that spans multiple recvmsg() calls to cause a denial of service.
The issue occurs because a conntrack pointer stored in callback data is dereferenced after its reference is dropped, and the second dump round can access the freed object via nfct_help(ct). The proof of concept shows a slab-use-after-free read detected by KASAN.
How to mitigate CVE-2026-23458
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56
- https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a
- https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57
- https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8
- https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9
- https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390