CVE-2026-23139 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conncount: update last_gc only when GC has been performed

Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causing the list to grow infinitely.

Update the last_gc value only when a GC has been actually performed.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/18/2026

The vulnerability identified as CVE-2026-23139 resides within the Linux kernel's netfilter subsystem, specifically affecting the nf_conncount module responsible for connection tracking. This issue represents a critical resource management flaw that can lead to system instability and potential denial of service conditions. The vulnerability manifests in the improper handling of garbage collection operations within the connection tracking mechanism, creating a scenario where system resources can be exhausted through sustained high packet throughput. The flaw directly impacts the kernel's ability to maintain efficient connection tracking tables, which are fundamental to network packet processing and firewall operations.

The technical root cause of this vulnerability stems from the incorrect update of the last_gc timestamp variable within the nf_conncount implementation. The module maintains a record of when the last garbage collection operation occurred, but the current implementation updates this timestamp regardless of whether actual garbage collection has taken place. This design flaw creates a logical inconsistency where the system believes garbage collection has occurred even when it has not, leading to a cascade of improper resource management decisions. When the system processes high volumes of network packets, this incorrect timestamping prevents the garbage collection mechanism from functioning properly, as the system never actually performs the necessary cleanup operations to remove stale connection entries.

The operational impact of this vulnerability becomes particularly severe under sustained high packet rate conditions, where the connection tracking table can grow indefinitely without proper cleanup. This condition results in memory exhaustion and system performance degradation, as the kernel's connection tracking subsystem becomes overwhelmed with stale entries that should have been removed during regular garbage collection cycles. The infinite growth of connection tracking lists can eventually lead to complete system instability, requiring manual intervention or system reboot to restore normal operations. Network services may become unresponsive or fail entirely, affecting the availability of critical infrastructure components that depend on proper connection tracking functionality.

From a cybersecurity perspective, this vulnerability aligns with CWE-691, which addresses insufficient cleanup and improper resource management in security-critical systems. The flaw represents a classic case of resource exhaustion that could be exploited by attackers to perform denial of service attacks against network infrastructure. The vulnerability also maps to ATT&CK technique T1499.004, which covers network disruption through resource exhaustion attacks. The improper handling of connection tracking garbage collection creates a persistent condition that can be maintained indefinitely, making it particularly dangerous in environments where continuous network traffic is expected. Organizations implementing network security solutions that rely on kernel-based connection tracking mechanisms face significant risk from this vulnerability, as it can undermine the fundamental security and operational integrity of their network defenses.

The recommended mitigation strategy involves applying the kernel patch that ensures the last_gc timestamp is updated only when actual garbage collection operations occur. This fix addresses the logical inconsistency in the connection tracking subsystem and restores proper resource management behavior. System administrators should prioritize applying this update across all affected kernel versions, particularly in environments handling high packet volumes or critical network services. Monitoring systems should be implemented to detect unusual connection tracking table growth patterns, providing early warning of potential exploitation attempts. Additionally, network administrators should consider implementing rate limiting and connection tracking limits as additional defensive measures to prevent exploitation of this vulnerability through sustained high-volume packet flows.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00327

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!