CVE-2026-23278 in Linux
Summary
by MITRE • 03/20/2026
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: always walk all pending catchall elements
During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch.
If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate.
Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
[..]
__nft_set_elem_destroy+0x106/0x380 [nf_tables]
nf_tables_abort_release+0x348/0x8d0 [nf_tables]
nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/23/2026
The vulnerability CVE-2026-23278 affects the Linux kernel's netfilter subsystem, specifically within the nf_tables framework that manages packet filtering and classification rules. This issue arises during transaction processing when multiple catchall elements exist simultaneously within the same map structure. The problem manifests when a map containing catchall elements is being removed or modified, creating a scenario where both a live catchall element and a pending catchall element from a new batch coexist. The kernel's handling of these elements becomes inconsistent, leading to improper memory management and potential system instability.
The technical flaw stems from an incomplete iteration mechanism within the nf_tables subsystem that fails to properly process all pending catchall elements during transaction abort operations. When the system attempts to release resources associated with catchall elements, it only processes the first viable candidate instead of walking through all pending elements that require toggling. This oversight occurs in the nft_data_release function which is part of the nf_tables kernel module, as evidenced by the stack trace showing the execution path through __nft_set_elem_destroy and nf_tables_abort_release functions. The issue directly relates to CWE-129, which addresses improper validation of array indices, and CWE-457, concerning use of uninitialized variables, as the improper element handling can lead to accessing freed memory or uninitialized data structures.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation or denial of service conditions within network filtering operations. Attackers could exploit this weakness by crafting specific netfilter transactions that manipulate catchall element states during map modifications, potentially causing kernel oopses, system crashes, or more severe memory corruption that could be leveraged for privilege escalation. The vulnerability affects systems heavily reliant on netfilter for packet filtering, particularly those using complex rule sets with catchall elements, making it a significant concern for network security appliances, firewalls, and systems implementing sophisticated packet classification policies. The issue demonstrates a failure in proper resource management during transaction abort scenarios, which aligns with ATT&CK technique T1068, involving privilege escalation through local exploitation of kernel vulnerabilities.
Mitigation strategies should focus on applying the kernel patch that ensures all pending catchall elements are properly walked and toggled during transaction processing. System administrators should prioritize updating their kernel versions to include the fix, particularly in environments where netfilter is extensively used for security policy enforcement. Additionally, monitoring for kernel warning messages related to nft_data_release and nf_tables operations can help detect potential exploitation attempts. The fix implements a comprehensive iteration mechanism that properly handles all catchall elements regardless of their state or the map's lifecycle, preventing the incomplete resource cleanup that leads to the kernel crash. Organizations should also consider implementing network segmentation and monitoring to limit the attack surface, as the vulnerability primarily affects systems with active netfilter configurations that process complex packet filtering rules.