CVE-2026-23272

/* * Conceptual Proof of Concept for CVE-2026-23272 * Triggering UAF in nf_tables by filling a set. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> // This is a simplified representation. Actual exploitation requires Netlink communication. int main(int argc, char **argv) { printf("[+] CVE-2026-23272 PoC Start\n"); // Step 1: Create a table and a set with a specific size limit (e.g., size 1) // system("nft add table ip poc_table"); // system("nft add set ip poc_table poc_set { type ipv4_addr; size 1; }"); // Step 2: Fill the set to its limit // system("nft add element ip poc_table poc_set { 192.168.1.1 }"); printf("[*] Attempting to trigger race condition by adding element to full set...\n"); // Step 3: Loop to add an element to the full set. // This triggers the publish -> remove (without RCU grace) path. // Concurrent RCU readers might crash. for(int i = 0; i < 1000; i++) { // system("nft add element ip poc_table poc_set { 10.0.0.1 }"); // In a real exploit, threading is used to ensure RCU reader is active during removal. } printf("[-] PoC finished. Check kernel logs for crashes.\n"); return 0; }

{"cve": {"id": "CVE-2026-23272", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-20T09:16:12.700", "lastModified": "2026-04-02T15:16:28.417", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set->nelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set->nelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_tables: incrementar incondicionalmente set-&gt;nelems antes de la inserción\n\nEn caso de que el conjunto esté lleno, se publica un nuevo elemento que luego se elimina sin esperar el período de gracia de RCU, mientras que un lector de RCU ya puede estar recorriéndolo.\n\nPara abordar este problema, añadir la transacción del elemento incluso si el conjunto está lleno, pero alternar la bandera set_full para informar -ENFILE de modo que la ruta de aborto deshaga de forma segura el conjunto a su estado anterior.\n\nEn cuanto a las actualizaciones de elementos, decrementar set-&gt;nelems para restaurarlo.\n\nUna solución más simple es llamar a synchronize_rcu() en la ruta de error.\nSin embargo, con un gran lote añadiendo elementos a un conjunto ya agotado, esto podría causar una ralentización notable de dichos lotes."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}