Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Linux Kernel: Chain Deletion Can Cause Data Loss
CVE-2026-23231
Summary
A bug was fixed in the Linux kernel that could cause data loss when a network chain is deleted. This could happen when a network dump or packet processing is in progress, and could lead to unexpected behavior. Linux kernel updates should be applied to ensure this issue is resolved.
Original title
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
...
Original description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
- https://git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33
- https://git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b
- https://git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81
- https://git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533
- https://git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28
- https://git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400a
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026